1464 matches found
Server-side request forgery vulnerability in CAS Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
CLI and UI allow non-admin users to enumerate installed plugins
Users with Overall/Read permission were able use the list-plugins CLI command and view the About Jenkins page to list all installed plugins. Use of the list-plugins CLI command and access to the About Jenkins page now require Overall/Administer permission...
Cross-site scripting vulnerability in confirmation dialogs displaying item names
Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items. JavaScript confirmation dialogs that include the item name now properly escape it, so it c...
Ansible Plugin disabled host key verification by default
Ansible Plugin disabled host key verification by default, having it only as an opt-in option. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out. Existing configurations that previously did not opt into host key verification will have host ke...
Reverse Proxy Auth persisted authorities cache on disk
Reverse Proxy Auth Plugin persisted a cache of granted authorities group memberships on disk. This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of...
Path traversal vulnerability allows access to files outside plugin resources
Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins controller they should not have access to. On Windows, any file accessible to the...
Missing permission checks in ec2-deployment-dashboard allow enumerating credentials IDs
ec2-deployment-dashboard 1.0.10 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anoth...
Tokens stored in plain text by build-notifications
build-notifications 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration: Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml Slack Bot Token in...
Reflected XSS vulnerability in embeddable-build-status
embeddable-build-status 2.0.3 allows specifying a link query parameter that build status badges will link to, without restricting possible values. This results in a reflected cross-site scripting XSS vulnerability. embeddable-build-status 2.0.4 limits URLs to http and https protocols and correctl...
RCE vulnerability in google-kubernetes-engine
google-kubernetes-engine 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to google-kubernetes-engine's build step...
SCTMExecutor stores credentials in plain text
SCTMExecutor 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files. While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credential...
view26 stores access token in plain text
view26 stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...
Path traversal vulnerability in Stapler allowed accessing internal data
A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type. This could be used to access internal data of routable objects, commonly by showing their string representation toString...
XSS vulnerability in Stapler debug mode
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability. Parts of URLs...