1464 matches found
elOyente stores credentials in plain text
elOyente stores a password unencrypted in its global configuration file com.technicolor.eloyente.ElOyente.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in build-environment
build-environment did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applie...
Stored XSS vulnerability in dashboard-view
dashboard-view did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view. dashboard-view now applies the configured markup formatter to the build...
beaker-builder stored credentials in plain text
beaker-builder stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. beaker-builder now stores these credentials encrypted...
testlink stores credentials in plain text
testlink stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Google Cloud Messaging Notification stores credentials in plain text
Google Cloud Messaging Notification stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisor...
Script sandbox bypass vulnerability in Simple Travis Pipeline Runner
Simple Travis Pipeline Runner defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code...
Sandbox bypass through type casts in script-security
Sandbox protection in script-security could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren't approved. Additionally, this could be used to read arbitrary files on the Jenkins controller. Casting...
Sandbox bypass through method pointer expressions in script-security
Sandbox protection in script-security could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. Method pointer subexpression...
Missing permission check in workflow-cps-global-lib
workflow-cps-global-lib provides form validation to determine whether the revision e.g. commit, tag, or branch name specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an...
skytap stored credentials in plain text
skytap stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. skytap now stores credentials encrypted...
CSRF vulnerability and missing permission check in ansible-tower allowed capturing credentials
ansible-tower did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
twitter stores credentials in plain text
twitter stores credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability in OAuth callback in github-oauth
github-oauth did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to...
CSRF vulnerability and missing permission check in cloudtest allow SSRF
A missing permission check in a form validation method in cloudtest allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options. Additionally, the form validation method does not require POST...
TestFairy stores credentials in plain text
TestFairy stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
klaros-testmanagement stores credentials in plain text
klaros-testmanagement stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
cloudcoreo-deploytime stores credentials in plain text
cloudcoreo-deploytime stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CloudShare Docker-Machine Plugin stores credentials in plain text
CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
trac-publisher-plugin stores credentials in plain text
trac-publisher-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
octopusdeploy stores credentials in plain text
octopusdeploy stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
ftppublisher stores credentials in plain text
ftppublisher stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Audit to Database Plugin stores credentials in plain text
Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin
Sandbox protection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types. Script Security and Pipeline: Groovy have been hardened to prevent these methods...
SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin
A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation methods did not require POST requests, resulting in a CSR...
PRQA Plugin stored password in plain text
PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk...
Script security sandbox bypass in Job DSL Plugin
Job DSL Plugin supports sandboxed Groovy expressions for Job DSL definitions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the Job DSL scripts to bypass the sandbox...
Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration
A missing permission check in an HTTP endpoint allowed users with Overall/Read access to attach a public IP address to an Azure VM in Azure VM Agents Plugin, making a virtual machine publicly accessible. Additionally, this form validation method did not require POST requests, resulting in a CSRF...
Script security sandbox bypass in Matrix Project Plugin
Matrix Project Plugin supports a sandboxed Groovy expression to filter matrix combinations. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to configure a Matrix project to bypass the...
Sandbox Bypasses in Script Security Plugin
The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab 2019-01-08 fix for SECURITY-1266 could be circumvented through use of various Groovy language features: Use of AnnotationCollector Import aliasing Referencing...
Sandbox Bypass in Groovy Plugin
Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming...
Recursive token expansion results in information disclosure and DoS in Token Macro Plugin
Token Macro Plugin recursively applied token expansion. This could be used by users able to affect input to token expansion such as change log messages, to inject additional tokens into the input, which would then be expanded, resulting in information disclosure for example values of environment...
XSS vulnerability via user description in Blue Ocean
Blue Ocean did not properly escape HTML/JavaScript content set on the current user's description field, resulting in a cross-site scripting vulnerability exploitable by administrators and other people accessing Jenkins with the same user account. Blue Ocean now properly escapes HTML/JavaScript...
XSS vulnerability in Config File Provider Plugin
Config File Provider Plugin improperly handled script names in its JavaScript-based UI, resulting in a stored cross-site scripting XSS vulnerability. Config File Provider Plugin now properly handles script names...
XXE vulnerability in Job Import Plugin
Job Import Plugin allows to import jobs from other Jenkins instances. As a first step in this process, Job Import Plugin sends a request to another Jenkins instance, parsing XML REST API output to obtain a list of jobs that could be imported. Job Import Plugin did not configure the XML parser in ...
CSRF vulnerability in Job Import Plugin allowed creating and overwriting jobs, installing some plugins
Job Import Plugin did not require that POST requests are sent to its /import URL, which processes requests to import jobs. This resulted in a cross-site request forgery CSRF vulnerability that could be exploited to create or replace jobs on the local instance if the remote Jenkins instance has...
Session fixation vulnerability in GitHub Authentication Plugin
GitHub Authentication Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. GitHub Authentication Plugin now invalidates the previous session during login and...
Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins. While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions...
Forced migration of user records
The fix for SECURITY-499 introduced a mechanism that renamed user directories on disk as a user with an unsafe user name user ID is loaded. Insufficient input validation allowed attackers to rename such user directories even for users with a safe user name by submitting a crafted user name when...
Reflected XSS vulnerability
The wrapper query parameter for the XML variant of the Jenkins remote API did not validate the specified tag name. This resulted in a reflected cross-site scripting vulnerability. Only legal XML tag names are now allowed for the wrapper query parameter...
Ephemeral user record was created on some invalid authentication attempts
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...
Ephemeral user record creation
By accessing a specific crafted URL on Jenkins instances using Jenkins' own user database, users without Overall/Read access could create ephemeral user records. This behavior could be abused to create a large number of ephemeral user records in memory. Accessing this URL now no longer results in...
Arbitrary file write vulnerability using file parameter definitions
Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to archive the uploaded file on the Jenkins controller, resulting in an arbitrary file write vulnerability. File parameter...
Session fixation vulnerability on user signup
When signing up for a new user account on instances using Jenkins' own user database, Jenkins did not invalidate the existing session and create a new one. This allowed session fixation. Jenkins now invalidates the existing session and creates a new one when logging in after user signup...
CSRF vulnerability and missing permission checks in Jira Plugin allowed capturing credentials
Jira Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
CSRF vulnerability in Config File Provider Plugin
A URL used to save configuration files based on form submissions did not require POST requests, resulting in a CSRF vulnerability. This URL now requires POST requests...
CSRF vulnerability in Email Extension Template Plugin
Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates. These URLs now require POST requests...
PAM Authentication Plugin did not properly validate user accounts
The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts. The bundled version of the library was updated to include the fix for this...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in HipChat Plugin
HipChat Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of ...
Server-side request forgery vulnerability in Crowd 2 Integration Plugin
Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings. Additionally, this form validation...