Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•5 views

Server-side request forgery vulnerability in CAS Plugin

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...

5.5CVSS5.7AI score0.00608EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/05/09 12:0 a.m.•5 views

CLI and UI allow non-admin users to enumerate installed plugins

Users with Overall/Read permission were able use the list-plugins CLI command and view the About Jenkins page to list all installed plugins. Use of the list-plugins CLI command and access to the About Jenkins page now require Overall/Administer permission...

4.3CVSS5.6AI score0.01115EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/11 12:0 a.m.•5 views

Cross-site scripting vulnerability in confirmation dialogs displaying item names

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items. JavaScript confirmation dialogs that include the item name now properly escape it, so it c...

5.4CVSS5.2AI score0.00884EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•5 views

Ansible Plugin disabled host key verification by default

Ansible Plugin disabled host key verification by default, having it only as an opt-in option. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out. Existing configurations that previously did not opt into host key verification will have host ke...

6.8CVSS5.9AI score0.00718EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•5 views

Reverse Proxy Auth persisted authorities cache on disk

Reverse Proxy Auth Plugin persisted a cache of granted authorities group memberships on disk. This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of...

3.3CVSS4.7AI score0.00349EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/14 12:0 a.m.•5 views

Path traversal vulnerability allows access to files outside plugin resources

Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins controller they should not have access to. On Windows, any file accessible to the...

6.5CVSS6.9AI score0.0388EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

Missing permission checks in ec2-deployment-dashboard allow enumerating credentials IDs

ec2-deployment-dashboard 1.0.10 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anoth...

4.3CVSS5.1AI score0.00684EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

Tokens stored in plain text by build-notifications

build-notifications 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration: Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml Slack Bot Token in...

4.3CVSS5AI score0.00557EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/22 12:0 a.m.•4 views

Reflected XSS vulnerability in embeddable-build-status

embeddable-build-status 2.0.3 allows specifying a link query parameter that build status badges will link to, without restricting possible values. This results in a reflected cross-site scripting XSS vulnerability. embeddable-build-status 2.0.4 limits URLs to http and https protocols and correctl...

8.8CVSS5.8AI score0.00911EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/02/12 12:0 a.m.•4 views

RCE vulnerability in google-kubernetes-engine

google-kubernetes-engine 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to google-kubernetes-engine's build step...

8.8CVSS8.9AI score0.02745EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•4 views

SCTMExecutor stores credentials in plain text

SCTMExecutor 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files. While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credential...

5.3CVSS5.4AI score0.00576EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•4 views

view26 stores access token in plain text

view26 stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

4.3CVSS5.1AI score0.00469EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/10/10 12:0 a.m.•4 views

Path traversal vulnerability in Stapler allowed accessing internal data

A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type. This could be used to access internal data of routable objects, commonly by showing their string representation toString...

6.5CVSS6.5AI score0.03256EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/18 12:0 a.m.•4 views

XSS vulnerability in Stapler debug mode

Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability. Parts of URLs...

5.4CVSS5.3AI score0.00894EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464