1464 matches found
AWS Secret Key stored and displayed in plain text by statistics-gatherer
statistics-gatherer 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins...
Script security sandbox bypass vulnerability in shared-library-version-override
shared-library-version-override 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs...
Stored XSS vulnerability in authorize-project
authorize-project 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. authorize-project 1.8.0 no longer evaluates a string...
Exposure of multi-line secrets through error messages in Jenkins
Jenkins provides the secretTextarea form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line...
Missing permission checks in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...
Non-constant time webhook token comparison in gitlab-branch-source
gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-branch-source...
Improper masking of credentials in nodejs
nodejs integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. nodejs 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in...
Stored XSS vulnerability in checkmarx
checkmarx processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI. checkmarx 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site...
Missing permission check in build-publisher
build-publisher 1.22 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins...
Promotion names in promoted-builds are not validated when using Job DSL
promoted-builds provides dedicated support for defining promotions using Job DSL Plugin. promoted-builds 873.v6149dbd64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a...
CSRF vulnerability and missing permission checks in mailer
mailer 391.ve4a38c1bcf4b and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Additionally, this form validation method does n...
CSRF vulnerability in mantis
mantis 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials. As of publication of this advisory...
sonar-gerrit stored credentials in plain text
sonar-gerrit stores a credential unencrypted in job config.xml files on the Jenkins controller if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...
sitemonitor globally and unconditionally disables SSL/TLS certificate validation
sitemonitor unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. sitemonitor no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin
Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as...
Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin
A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password. Additionally, this form validation...
Acunetix Plugin stored API key in plain text
Acunetix Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin...
Stored XSS vulnerability in Git Changelog Plugin
Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting XSS vulnerability exploitable by users with commit access to specific Git repositories. Git Changelog Plugin 2.7 and newer escape Git commit messages shown on th...
Gitlab Hook Plugin stores and displays GitLab API token in plain text
Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to user...
Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations
Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions: - Configure Gerrit servers - Connect and disconnect configured Gerrit servers The missing permission checks have been added...
SECURITY-695
Bulletin has no description...
SECURITY-675
Bulletin has no description...
SECURITY-656
Bulletin has no description...
SECURITY-657
Bulletin has no description...
Arbitrary file read vulnerability in email-ext
email-ext 1933.v45cec755423f and earlier includes a feature that allows inlining images as base64 in email content by setting the data-inline attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify file: URLs...
XSS vulnerability in legacy wrapper file in htmlpublisher
htmlpublisher 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 427.1 escapes job name and URL when generating the legacy wrapper file...
Stored XSS vulnerability in coverage
coverage uses coverage results IDs to create the links to coverage results on the Jenkins UI. coverage 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI. This allows...
CSRF vulnerability and missing permission check in publish-to-bitbucket
publish-to-bitbucket 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
CSRF vulnerability and missing permission check in themis
themis 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...
API Keys stored in plain text by curseforge-publisher
curseforge-publisher 1.0 and earlier stores API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...
Missing permission check allows obtaining agent names
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget...
Missing permission checks in global-build-stats allow enumerating graph IDs
global-build-stats 322.v22f4db18e2dd and earlier does not perform permission checks in its REST API endpoints. This allows attackers with Overall/Read permission to enumerate graph IDs. These IDs can be used to access those graphs. global-build-stats 347.v32aeb0493c4f requires Overall/Administer...
Token stored and displayed in plain text by sensedia-api-platform
sensedia-api-platform 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...
XXE vulnerability in ivytrigger
ivytrigger 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of...
CSRF vulnerability and missing permission checks in svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...
DoS vulnerability in analysis-model-api
analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...
CSRF vulnerability and missing permission check in aws-codecommit-trigger
aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...
Arbitrary file read vulnerability in mathworks-polyspace
mathworks-polyspace 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step. This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system. As of publication of this advisory,...
XXE vulnerability in external-monitor-job
external-monitor-job 206.v9a94ff0b4a10 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from t...
CSRF vulnerability in ldap
ldap 673.v034ec70ec2bb and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. ldap...
Command injection vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...
XSS vulnerability in bundled email templates in email-ext
email-ext bundled multiple preconfigured templates for notification emails. The Email Template Testing feature can be used to see what these and other templates would look like based on a given build. email-ext 2.93 and earlier does not escape various fields included in those email templates, lik...
Git releases with critical vulnerabilities on Jenkins Docker images
The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...
SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...
Webhook endpoint discloses job names to unauthorized users in mercurial
mercurial provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET reques...
Missing hostname validation in smalltest
smalltest 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce...
Missing permission checks in compuware-scm-downloader
compuware-scm-downloader 2.0.12 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Password stored in plain text by proxmox
proxmox 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. proxmox 0.6.0 stores the Proxmox Datacenter...
Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers...
XXE vulnerability in nuget
nuget 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This XML parser is used for the "Build on NuGet updates" feature. This allows attackers with the ability to control the contents of the packages.config file in a workspace to have Jenkins parse a...