1464 matches found
CSRF vulnerabilities in requests
requests 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleti...
XXE vulnerability in xcode-plugin
xcode-plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the Xcode build step to have Jenkins parse a crafted Xcode Workspace File that uses external entities for extraction of secrets...
Missing permission check in electricflow allows scheduling builds
electricflow 1.1.21 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. electricflow 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint...
CSRF vulnerability and missing permission checks in dependency-track allow capturing credentials
dependency-track 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials...
Passwords stored in plain text by jabber
jabber 1.41 and earlier stores passwords unencrypted in its global configuration file hudson.plugins.jabber.im.transport.JabberPublisher.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. jabber 1.4...
CSRF vulnerability and missing permission check in Team Foundation Server allow capturing credentials
Team Foundation Server 5.157.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Stored XSS vulnerability in rest-list-parameter
rest-list-parameter 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. rest-list-parameter 1.3.1 no longer identifies a parameter using...
Missing permission check in Team Foundation Server allows enumerating credentials IDs
Team Foundation Server 5.157.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Support bundles can include user session IDs in support-core
support-core 2.72 and earlier provides the serialized user authentication as part of the "About user basic authentication details only" information user.md. In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle...
Stored XSS vulnerability in repository-connector
repository-connector 2.0.2 and earlier does not escape parameter names and descriptions for past builds. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. repository-connector 2.0.3 escapes parameter names and descriptions whe...
XSS vulnerability in claim
claim 2.18.1 and earlier does not escape the user display name shown in claims. This results in a cross-site scripting XSS vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins. NOTE: Everyone...
Missing permission check for paths with specific prefix
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with...
XSS vulnerability in notification bar
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents typically shown after form submissions via Apply button. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to influence notification bar contents. Jenkins...
Missing permission checks in chaos-monkey
chaos-monkey 0.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to generate load and to generate memory leaks. chaos-monkey 0.4 requires Overall/Administer permission to generate load and to generate memory leaks...
Missing permission check in mercurial
mercurial 2.11 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. mercurial 2.12 performs permission checks when listing configured Mercurial installations...
Missing permission checks in azure-keyvault allow enumerating credentials IDs
azure-keyvault 2.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing permission check in blueocean
Updated 2020-09-16: This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it. blueocean 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests...
Stored XSS vulnerability in description-column-plugin
description-column-plugin 1.3 and earlier does not escape the job description in the column tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Reflected XSS vulnerability in JSGames
JSGames 0.2 and earlier evaluates part of a URL as code. This results in a reflected cross-site scripting XSS vulnerability. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in git-parameter
git-parameter 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. git-parameter 0.9.13 escapes the repository field on the 'Build with...
Stored XSS vulnerability in 'keep forever' badge icons
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure job names. As job names do not generally support the character set...
Stored XSS vulnerability in upstream cause
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the job display...
Stored XSS vulnerability in matrix-auth
matrix-auth 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting XSS vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission,...
Stored XSS vulnerability in echarts-api
echarts-api 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Run/Update permission. echarts-api 4.7.0-4 escapes the display name...
Missing SSH host key validation in ec2
ec2 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. ec2 1.50.2 provides strategies for performing host key validation for administrators to...
RCE vulnerability in pipeline-aws
pipeline-aws 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to pipeline-aws's build steps. pipeline-aws 1.41 configures its YAML...
XXE vulnerability in rundeck
rundeck 3.6.6 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security 1.70 and earlier can be circumvented through: Crafted constructor calls and bodies due to an incomplete fix of SECURITY-582 Crafted method calls on objects that implement GroovyInterceptable This allows attackers able to specify and run sandboxed scripts to...
RCE vulnerability in google-kubernetes-engine
google-kubernetes-engine 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to google-kubernetes-engine's build step...
Password stored in plain text by applatix
applatix 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
RCE vulnerability in radargun
radargun 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure radargun's build step. radargun 1.8 configures its YAML parser to only instantiate safe types...
Inbound TCP Agent Protocol/3 authentication bypass
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between controller and agents. While this protocol has been deprecated in 2018 and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS...
redgate-sql-ci stored credentials in plain text
redgate-sql-ci 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system. This is due to an incomplete fix of SECURITY-1598...
SCTMExecutor stores credentials in plain text
SCTMExecutor 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files. While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credential...
CSRF vulnerability in dynatrace-dashboard
dynatrace-dashboard did not require POST requests on a method implementing form validation. This CSRF vulnerability allowed attackers to initiate a connection test to an attacker-specified server with attacker-specified username and password. dynatrace-dashboard now requires POST requests for thi...
Arbitrary file read vulnerability in google-oauth-plugin
google-oauth-plugin allowed the creation of credentials based on the content of files on the Jenkins controller through a feature retaining backwards compatibility with earlier plugin releases. This allowed users with the permission to configure jobs and credentials to read arbitrary files on the...
view26 stores access token in plain text
view26 stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...
CodeScan stores credentials in plain text
CodeScan stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission check in project-inheritance
project-inheritance allows the creation of projects based on templates defined in the plugin configuration. A missing permission check in the HTTP endpoint triggering project creation allowed users with Overall/Read permission to create these projects. Additionally, the HTTP endpoint did not...
azure-event-grid-notifier stores credentials in plain text
azure-event-grid-notifier stores the Azure Event Grid secret key unencrypted in job config.xml files on the Jenkins controller. This key can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in build-environment
build-environment did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applie...
Stored XSS vulnerability in dashboard-view
dashboard-view did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view. dashboard-view now applies the configured markup formatter to the build...
beaker-builder stored credentials in plain text
beaker-builder stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. beaker-builder now stores these credentials encrypted...
testlink stores credentials in plain text
testlink stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Google Cloud Messaging Notification stores credentials in plain text
Google Cloud Messaging Notification stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisor...
Sandbox bypass through method pointer expressions in script-security
Sandbox protection in script-security could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. Method pointer subexpression...
skytap stored credentials in plain text
skytap stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. skytap now stores credentials encrypted...
Missing permission check in workflow-cps-global-lib
workflow-cps-global-lib provides form validation to determine whether the revision e.g. commit, tag, or branch name specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an...
Sandbox bypass through type casts in script-security
Sandbox protection in script-security could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren't approved. Additionally, this could be used to read arbitrary files on the Jenkins controller. Casting...
Unsafe entry in Script Security list of approved signatures in workflow-remote-loader
workflow-remote-loader provides a custom list of pre-approved signatures for Script Security. Those entries apply to all scripts with sandbox protection, such as Pipeline. One entry provided here was unsafe, as it allowed invoking arbitrary methods, bypassing sandbox protection. The unsafe...