1464 matches found
Password stored in plain text by environment-manager
environment-manager 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no...
Reflected XSS vulnerability in gitlab-hook
gitlab-hook 1.4.2 and earlier does not escape project names in the buildnow endpoint. This results in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...
CSRF vulnerability in mantis
mantis 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials. As of publication of this advisory...
sonar-gerrit stored credentials in plain text
sonar-gerrit stores a credential unencrypted in job config.xml files on the Jenkins controller if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...
Stored XSS vulnerability in pegdown-formatter
pegdown-formatter uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting XSS as a feature. pegdown-formatter does not prevent the use of javascript: scheme in URLs for links. This...
Clickjacking vulnerability in Monitoring Plugin
Monitoring Plugin did not set the X-Frame-Options header, allowing its pages to be embedded. This could result in clickjacking attacks. Monitoring Plugin now sets the X-Frame-Options header to sameorigin, preventing embedding...
Arachni Scanner Plugin stored credentials in plain text
Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin. Existing configurations are migrated...
Missing permission check in Metadata Plugin allows unauthorized users to change Metadata Plugin configuration
Metadata Plugin lacks a permission check that allows users with Overall/Read access to Jenkins to change the plugin's configuration. As of publication of this advisory, there is no fix...
SECURITY-657
Bulletin has no description...
SECURITY-656
Bulletin has no description...
SECURITY-695
Bulletin has no description...
SECURITY-675
Bulletin has no description...
Open redirect vulnerability in "Delegate to servlet container" security realm
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. This allows attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. Jenkins...
Deserialization vulnerability
Jenkins uses serialization and deserialization in multiple places, like agent/controller communication the Remoting library and to load and save configuration and build data using XStream. To protect from common deserialization vulnerabilities, Jenkins uses a custom deserialization filter that on...
Missing permission check allows canceling queue items
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform an Item/Read permission check in an HTTP endpoint. This allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. NOTE: This is due to an incomplete...
RCE vulnerability from unvalidated LDAP referrals in active-directory
active-directory 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadget...
CSRF vulnerability in jenkins-multijob-plugin allows resuming builds
jenkins-multijob-plugin 662.vd2e0001f6bbd and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to resume failed Multijob builds. jenkins-multijob-plugin 669.v9d96ad9c71b0 requires POST...
Arbitrary file read vulnerability in email-ext
email-ext 1933.v45cec755423f and earlier includes a feature that allows inlining images as base64 in email content by setting the data-inline attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify file: URLs...
Open redirect vulnerability in azure-ad
azure-ad 666.v6060de32f87d and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. azure-ad 667.v4c5827ae74a0 only redirects to...
OS command injection vulnerability on agents in git-client
git-client generates temporary script files to provide credentials e.g., SSHASKPASS. In git-client 6.4.0 and earlier, these script files contain the path to the workspace directory as part of a command argument. This argument is not correctly escaped, allowing attackers able to control the...
CSRF vulnerability and missing permission check in themis
themis 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...
Missing permission checks in global-build-stats allow enumerating graph IDs
global-build-stats 322.v22f4db18e2dd and earlier does not perform permission checks in its REST API endpoints. This allows attackers with Overall/Read permission to enumerate graph IDs. These IDs can be used to access those graphs. global-build-stats 347.v32aeb0493c4f requires Overall/Administer...
AWS Secret Key stored and displayed in plain text by statistics-gatherer
statistics-gatherer 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins...
Stored XSS vulnerability in authorize-project
authorize-project 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. authorize-project 1.8.0 no longer evaluates a string...
XXE vulnerability in ivytrigger
ivytrigger 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of...
Script security sandbox bypass vulnerability in shared-library-version-override
shared-library-version-override 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs...
Missing permission checks in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...
Arbitrary file read vulnerability in mathworks-polyspace
mathworks-polyspace 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step. This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system. As of publication of this advisory,...
CSRF vulnerability in ldap
ldap 673.v034ec70ec2bb and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. ldap...
CSRF vulnerability and missing permission checks in tag-profiler
tag-profiler 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As ...
XSS vulnerability in bundled email templates in email-ext
email-ext bundled multiple preconfigured templates for notification emails. The Email Template Testing feature can be used to see what these and other templates would look like based on a given build. email-ext 2.93 and earlier does not escape various fields included in those email templates, lik...
Keys stored in plain text by jira-steps
jira-steps 2.0.165.v8846cf59f3db and earlier stores the private key unencrypted in its global configuration file org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller...
Missing hostname validation in smalltest
smalltest 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce...
Agent-to-controller security bypass in xunit
xunit 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain...
Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers...
XXE vulnerability in nested-view
nested-view 1.20 and earlier does not configure its XML transformer to prevent XML external entity XXE attacks. This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or...
XXE vulnerability in nuget
nuget 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This XML parser is used for the "Build on NuGet updates" feature. This allows attackers with the ability to control the contents of the packages.config file in a workspace to have Jenkins parse a...
Missing permission check in s3
s3 0.11.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain the list of configured profiles. s3 0.11.7 performs permission checks when providing a list of configured profiles...
Incorrect permission check in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. cloudbees-jenkins-advisor 3.2.1 requires Overall/Administer to view its administrative...
Missing permission check in pipeline-maven allows enumerating credentials IDs
pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
RCE vulnerability in scm-filter-jervis
scm-filter-jervis 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to configure jobs with the filter, or control the contents of a previously configured job's S...
XXE vulnerability in code-coverage-api
code-coverage-api 1.1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of...
Missing SSH host key validation in mac
mac 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. mac 1.2.0 validates SSH host keys when connecting to agents...
XXE vulnerability in nunit
nunit 0.25 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller,...
Credential stored in plain text by bmc-rpd
bmc-rpd 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...
XXE vulnerability in robot
robot 2.0.0 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets fro...
Users with Overall/Read access could enumerate credential IDs in crx-content-package-deployer
crx-content-package-deployer provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be...
aqua-serverless showed plain text password in job configuration form fields
aqua-serverless stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and...
Stored XSS vulnerability in build-pipeline-plugin
build-pipeline-plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...
port-allocator stores credentials in plain text
port-allocator stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...