1464 matches found
CSRF vulnerability in Email Extension Template Plugin
Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates. These URLs now require POST requests...
PAM Authentication Plugin did not properly validate user accounts
The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts. The bundled version of the library was updated to include the fix for this...
Unauthorized users could cancel scheduled restarts initiated from the update center
Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center "Restart Jenkins when installation is complete and no jobs are running" due to a lack of permission checks. Access to the affected URL is now limited to users with...
"Remember me" cookie was evaluated even if that feature is disabled
The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in. "Remember me" cookies are no longer evaluated when the corresponding feature is disabled...
meliora-testlab Plugin stored API Key in plain text
meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. Additionally, the API key was not masked from view using a password form fiel...
Unauthorized users could initiate and abort agent launches
The URL that initiates agent launches on the Jenkins controller did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches. Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching...
AWS CodeDeploy Plugin stored AWS Secret Key in plain text
AWS CodeDeploy Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked fr...
Server-side request forgery vulnerability in URLTrigger Plugin
A form validation method in URLTrigger Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting ...
Configuration as Code Plugin logged passwords in clear text
Configuration as Code Plugin logged secrets set via its configuration to the Jenkins controller system log in plain text. This allowed users with access to the Jenkins log files to obtain these passwords and similar secrets. Secrets are now masked when logging configuration...
Server-side request forgery vulnerability in CAS Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
CLI and UI allow non-admin users to enumerate installed plugins
Users with Overall/Read permission were able use the list-plugins CLI command and view the About Jenkins page to list all installed plugins. Use of the list-plugins CLI command and access to the About Jenkins page now require Overall/Administer permission...
Open redirect vulnerability in Google Login Plugin
Google Login Plugin redirected users to an arbitrary URL specified as a query parameter after successful login, enabling phishing attacks. Google Login Plugin now only performs redirects to relative URLs...
Cross-site scripting vulnerability in confirmation dialogs displaying item names
Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items. JavaScript confirmation dialogs that include the item name now properly escape it, so it c...
Ansible Plugin disabled host key verification by default
Ansible Plugin disabled host key verification by default, having it only as an opt-in option. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out. Existing configurations that previously did not opt into host key verification will have host ke...
Reverse Proxy Auth persisted authorities cache on disk
Reverse Proxy Auth Plugin persisted a cache of granted authorities group memberships on disk. This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of...
Path traversal vulnerability allows access to files outside plugin resources
Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins controller they should not have access to. On Windows, any file accessible to the...
Improper masking of credentials in credentials-binding
credentials-binding 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log. credentials-binding 687.689.v1af775332fc9 rethrows exceptions that contain credentials, masking those credential...
CSRF vulnerability in simple-queue
simple-queue 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. simple-queue 1.4.7 requires POST requests for the affected HTTP...
Incorrect permission checks in google-compute-engine
google-compute-engine 4.550.vb327fca3db11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate system-scoped...
Non-constant time webhook token comparison in multibranch-scan-webhook-trigger
multibranch-scan-webhook-trigger 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory...
Builds can be filtered by values of sensitive build variables
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc. Jenkins 2.50 through 2.423 both inclusive, LTS 2.60.1 through 2.414.1 both inclusive does not exclude sensitive build variables...
Temporary uploaded file created with insecure permissions
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly...
Stored XSS vulnerability in build-failure-analyzer
build-failure-analyzer 2.4.1 and earlier does not escape Failure Cause names in build logs. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create or update Failure Causes. build-failure-analyzer 2.4.2 escapes Failure Cause names in build logs...
HTML injection vulnerability in aws-codecommit-trigger
aws-codecommit-trigger 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses...
Non-constant time token comparison in tuleap-oauth
tuleap-oauth 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. tuleap-oauth 1.1.21 uses a constant-time comparison when...
Stored XSS vulnerability in docker-swarm
docker-swarm processes Docker responses to generate the Docker Swarm Dashboard view. docker-swarm 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting XSS vulnerability exploitable by...
CSRF vulnerability and missing permission check in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified...
Missing permission check in thycotic-secret-server allows enumerating credentials IDs
thycotic-secret-server 1.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability in octoperf
octoperf 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anothe...
Missing permission check in octoperf allows enumerating credentials IDs
octoperf 4.5.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
CSRF vulnerability and missing permission checks in octoperf
octoperf 4.5.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials. Additionally, these endpoints do not require POST requests,...
Workspace temporary directories accessible through directory browser
Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically...
XSS vulnerability in update-center2
https://github.com/jenkins-infra/update-center2/update-center2 is the tool used to generate the Jenkins update sites hosted on updates.jenkins.io. NOTE: While it is designed for use by the Jenkins project for this purpose, others may be using it to operate their own self-hosted update sites...
Stored XSS vulnerability in custom email templates in email-ext
email-ext allows defining custom email templates using https://plugins.jenkins.io/config-file-provider/Config File Provider plugin as Jelly or Groovy files. The Email Template Testing feature can be used to see what these templates would look like based on a given build by specifying the managed:...
CSRF vulnerability in bitbucket-oauth
bitbucket-oauth 0.12 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. bitbucket-oauth 0.13 implements a...
Missing permission checks in macstadium-orka allow enumerating credentials IDs
macstadium-orka 1.31 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing permission checks in cisco-spark-notifier allow enumerating credentials IDs
cisco-spark-notifier 1.1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in macstadium-orka allow capturing credentials
macstadium-orka 1.31 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored ...
CSRF vulnerability in gerrit-trigger
gerrit-trigger 2.38.0 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild previous builds triggered by Gerrit. gerrit-trigger 2.38.1 requires POST requests for the...
XXE vulnerability in plot
plot 2.1.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the...
Stored XSS vulnerability in spring-config
spring-config 2.0.0 and earlier does not escape build display names shown on the Spring Config view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change build display names. spring-config 2.0.1 escapes build display names shown on the Spring...
CSRF vulnerability in sonar-gerrit
sonar-gerrit 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to have Jenkins connect to Gerrit servers previously configured by Jenkins administrators using attacker-specified...
Stored XSS vulnerability in junit
junit 1159.v0b396e1e07dd and earlier converts HTTPS URLs in test report output to clickable links. This is done in an unsafe manner, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. junit 1160.vf1f01aaeab7f no longer converts UR...
Arbitrary file read vulnerability in pipeline-utility-steps
pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library that...
Password stored in plain text by reverse-proxy-auth-plugin
reverse-proxy-auth-plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by attackers with access to the Jenkins controller file system. reverse-proxy-auth-plugin 1.7....
XXE vulnerability on agents in OSF Builder Suite : : XML Linter
OSF Builder Suite : : XML Linter 1.0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML files that get processed by the 'OSF Builder Suite : : XML Linter' build step to have agent processes parse a crafted file tha...
Lack of authentication mechanism for webhook in dockerhub-notification
dockerhub-notification provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt. In dockerhub-notification 2.6.2 and earlier, these endpoints can be accessed without authentication. This allows unauthenticated attackers to trigger...
XXE vulnerability on agents in sourcemonitor
sourcemonitor 0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for...
Non-constant time webhook token comparison in generic-webhook-trigger
generic-webhook-trigger 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. generic-webhook-trigger 1.84.2 uses a...
CSRF protection for any URL can be bypassed in pipeline-input-step
pipeline-input-step 451.vf1aa4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input step. This ID is used for the URLs that process user interactions for the given input step proceed or abort and is not correctly encoded. This allows attackers able to configur...