1464 matches found
XXE vulnerability on agents in sourcemonitor
sourcemonitor 0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for...
CSRF protection for any URL can be bypassed in pipeline-input-step
pipeline-input-step 451.vf1aa4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input step. This ID is used for the URLs that process user interactions for the given input step proceed or abort and is not correctly encoded. This allows attackers able to configur...
Sandbox bypass vulnerabilities in Script Security Plugin and in Pipeline: Groovy Plugin
Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be...
Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin formerly Pipeline: Shared Groovy Libraries Plugin define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be...
Non-constant time webhook token comparison in generic-webhook-trigger
generic-webhook-trigger 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. generic-webhook-trigger 1.84.2 uses a...
XSS vulnerability
Jenkins 2.367 through 2.369 both inclusive does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control tooltips for this component. NOTE: As of...
Missing permission checks in rundeck
rundeck 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints. This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled. As of publication of this...
Stored XSS vulnerability in Walti
Walti 1.0.1 and earlier does not escape the information provided by the Walti API. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide malicious API responses from Walti. As of publication of this advisory, there is no fix. Learn why we announc...
Missing permission checks in CONS3RT allow enumerating credentials IDs
CONS3RT 1.0.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. ...
Lack of authentication mechanism in git webhook
git provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In git 4.11....
Non-constant time webhook signature comparison in github
github 1.34.4 and earlier does not use a constant-time comparison when checking whether the provided and computed webhook signatures are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook signature. github 1.34.5 uses a constant-time comparison when...
CSRF vulnerability in external-monitor-job
external-monitor-job 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create runs of an external job. external-monitor-job 192.ve979ca8b3ccd requires POST request...
Path traversal vulnerability in deployer-framework
deployer-framework 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation. This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. deployer-framework...
Missing permission check in rhnpush-plugin allows listing workspace contents
rhnpush-plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...
Missing permission check in rpmsign-plugin allows listing workspace contents
rpmsign-plugin 0.5.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...
Stored XSS vulnerability in maven-metadata-plugin
maven-metadata-plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory...
CSRF vulnerability and missing permission check in openshift-deployer
openshift-deployer 1.2.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method...
Missing permission checks in hashicorp-vault-plugin allow capturing credentials
hashicorp-vault-plugin 354.vdb858fd6bf48 and earlier does not perform permission checks in several HTTP endpoints performing Vault connection tests. This allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys. hashicorp-vault-plug...
Path traversal vulnerability in deployer-framework allows reading arbitrary files
deployer-framework 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment. This allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service...
Arbitrary file write vulnerability in clif-performance-testing
clif-performance-testing 64.vc0d66de1dfbf and earlier allows users to extract files from an archive without validating file paths of files contained within the archive. This allows attackers with Overall/Read permission to create or replace arbitrary files on the Jenkins controller file system wi...
Agent-to-controller security bypass in compuware-zadviser-api
compuware-zadviser-api defines a controller/agent message that retrieves Java system properties. compuware-zadviser-api 1.0.3 and earlier does not restrict execution of the controller/agent message to agents. This allows attackers able to control agent processes to retrieve Java system properties...
Stored XSS vulnerability in dynamic_extended_choice_parameter
dynamicextendedchoiceparameter 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn...
Missing permission checks in repository-connector allow enumerating credentials IDs
repository-connector 2.2.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing permission check in repository-connector allows listing the Jenkins controller file system
repository-connector 2.2.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can b...
Missing permission checks in lucene-search
lucene-search 370.v62a5f618cd3a and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them. As of publication of this advisory, there is no...
Missing permission check in files-found-trigger allows listing the Jenkins controller file system
files-found-trigger 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be...
Reflected XSS vulnerability in lucene-search
lucene-search 370.v62a5f618cd3a and earlier does not escape the search query parameter displayed on the search result page. This results in a reflected cross-site scripting XSS vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this...
Missing permission check in coverity allows enumerating credentials IDs
coverity 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As ...
Incorrect permission check in requests allows viewing pending requests
requests 2.2.16 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. NOTE: This is basically the same vulnerability as SECURITY-1995, whose fix was ineffective. requests 2.2.17...
XSS vulnerability in project-inheritance
project-inheritance 21.04.03 and earlier does not escape the reason a build is blocked in tooltips. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to control the reason a queue item is blocked. As of publication of this advisory, there is no fix. Learn why ...
Stored XSS vulnerability in matrix-reloaded
matrix-reloaded 1.1.3 and earlier does not escape the agent name in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability in matrix-reloaded
matrix-reloaded 1.1.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild previous matrix builds. As of publication of this advisory, there is no fix. Learn why we announce th...
Password stored in plain text by jigomerge
jigomerge 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, the...
Password stored in plain text by elasticsearch-query
elasticsearch-query 1.2 and earlier stores a password unencrypted in its global configuration file org.jenkinsci.plugins.elasticsearchquery.ElasticsearchQueryBuilder.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins...
Missing permission check in rqm-plugin allows enumerating credentials IDs
rqm-plugin 2.8 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As o...
Missing permission checks in xlrelease-plugin allow enumerating credentials IDs
xlrelease-plugin 22.0.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in xlrelease-plugin allow capturing credentials
xlrelease-plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
Stored XSS vulnerability in xfpanel
xfpanel 2.0.1 and earlier does not escape the job names used in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Configure permission. As of publication of this advisory, there is no fix. Learn why w...
API Key stored in plain text by opsgenie
opsgenie 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration. Additionally, they are transmitted in plain text as part of the respectiv...
Incorrect permission check in rrod
rrod 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page listing pending requests. As of publication of this advisory, there is no fix. Learn why we announce this...
Observable timing discrepancy allows determining username validity
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This...
Improper authorization in embeddable-build-status bypasses ViewStatus permission requirement
embeddable-build-status 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access. This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or...
CSRF vulnerability and missing permission checks in easyqa
easyqa 1.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. Additionally, this form validation method does not require POST requests, resulting in a...
CSRF vulnerability and missing permission check in threadfix
threadfix 1.5.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site...
Passwords stored in plain text by Squash TM Publisher (Squash4Jenkins)
Squash TM Publisher Squash4Jenkins 1.0.0 and earlier stores passwords unencrypted in its global configuration file org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller...
Reflected XSS vulnerability in nested-view
nested-view 1.20 through 1.25 both inclusive does not escape search parameters. This results in a reflected cross-site scripting XSS vulnerability. nested-view 1.26 escapes search parameters...
CSRF vulnerability and missing permission checks in jianliao
jianliao 1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in...
Multiple XSS vulnerabilities
Multiple cross-site scripting XSS vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and JavaScript into the Jenkins UI: SECURITY-2779 CVE-2022-34170: Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name,...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Agent Server Parameter 1.1 and earlier SECURITY-2731 / CVE-2022-34183 CRX Content Package Deployer 1.9 and earlier SECURITY-2727 / CVE-2022-34184 Date Parameter Plugin 0.0.4 and earlier SECURITY-2711 /...