1464 matches found
Token stored and displayed in plain text by sensedia-api-platform
sensedia-api-platform 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...
Tokens displayed without masking by zoom
zoom requires Zoom integration tokens for Zoom Build Notifier post-build actions. In zoom 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. zoom 1.6 masks Zoom integration tokens displayed on the job...
CSRF vulnerability and missing permission checks in svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...
Arbitrary file read vulnerability through the CLI can lead to RCE
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature...
DoS vulnerability in analysis-model-api
analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...
CSRF vulnerability and missing permission check in aws-codecommit-trigger
aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...
XXE vulnerability in external-monitor-job
external-monitor-job 206.v9a94ff0b4a10 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from t...
Stored XSS vulnerability in workflow-job
workflow-job 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set build display...
CSRF vulnerability and missing permission checks in tag-profiler
tag-profiler 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As ...
Command injection vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...
Missing permission checks in azure-credentials allow enumerating credentials IDs
azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
Git releases with critical vulnerabilities on Jenkins Docker images
The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...
Keys stored in plain text by jira-steps
jira-steps 2.0.165.v8846cf59f3db and earlier stores the private key unencrypted in its global configuration file org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller...
SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...
Missing permission checks in compuware-scm-downloader
compuware-scm-downloader 2.0.12 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Agent-to-controller security bypass in xunit
xunit 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain...
XXE vulnerability in nested-view
nested-view 1.20 and earlier does not configure its XML transformer to prevent XML external entity XXE attacks. This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or...
Missing permission check in s3
s3 0.11.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain the list of configured profiles. s3 0.11.7 performs permission checks when providing a list of configured profiles...
Incorrect permission check in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. cloudbees-jenkins-advisor 3.2.1 requires Overall/Administer to view its administrative...
Missing permission check in pipeline-maven allows enumerating credentials IDs
pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
RCE vulnerability in scm-filter-jervis
scm-filter-jervis 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to configure jobs with the filter, or control the contents of a previously configured job's S...
XXE vulnerability in code-coverage-api
code-coverage-api 1.1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of...
XSS vulnerability in usemango-runner
Multiple form validation endpoints in usemango-runner 1.4 and earlier do not escape values received from the useMango service. This results in a cross-site scripting XSS vulnerability exploitable by users able to control the values returned from the useMango service. usemango-runner 1.5 escapes a...
Missing SSH host key validation in mac
mac 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. mac 1.2.0 validates SSH host keys when connecting to agents...
Credential stored in plain text by bmc-rpd
bmc-rpd 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...
Reflected XSS vulnerability in gitlab-hook
gitlab-hook 1.4.2 and earlier does not escape project names in the buildnow endpoint. This results in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...
XXE vulnerability in robot
robot 2.0.0 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets fro...
vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation
vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...
violation-comments-to-gitlab stored credentials in plain text
violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...
aqua-serverless showed plain text password in job configuration form fields
aqua-serverless stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and...
Arbitrary file read vulnerability in filesystem_scm
filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in build-pipeline-plugin
build-pipeline-plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...
Stored XSS vulnerability in pegdown-formatter
pegdown-formatter uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting XSS as a feature. pegdown-formatter does not prevent the use of javascript: scheme in URLs for links. This...
port-allocator stores credentials in plain text
port-allocator stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
zap stores credentials in plain text
zap stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Rabbit-MQ Publisher Plugin stored password in plain text
Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...
SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud
A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as...
Sandbox Bypass in Script Security Plugin
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix fo...
GitHub Authentication Plugin showed plain text client secret in configuration form
GitHub Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret...
Jenkins allowed deserialization of <code>URL</code> objects with host components
Jenkins allowed deserialization of URL objects via Remoting agent communication and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods...
CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery
TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...
Arbitrary file read vulnerability in SSH Credentials Plugin with Credentials Binding Plugin
SSH Credentials Plugin allowed the creation of SSH credentials with keys "From a file on Jenkins controller". Credentials Binding Plugin 1.13 and newer allows binding SSH credentials to environment variables. In combination, these two features allow users with the permission to configure a job to...
Server-side request forgery vulnerability in GitHub Branch Source Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
Perforce Plugin credentials can be obtained by users with Job/Extended Read permission
Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations. Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins,...
Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport SECURITY-95. Cucumber Living Documentation Plugin disabled this XSS protection until Jenki...
Environment Injector Plugin before 1.91 stored sensitive build variables
EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 released on Mar 08, 2015 however did not exempt sensitive variables...
SECURITY-659
Bulletin has no description...
SECURITY-521
Bulletin has no description...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...
Missing permission check in jenkinsci-appspider-plugin allows sending requests
jenkinsci-appspider-plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. jenkinsci-appspider-plugin 1.0.18 requires Overall/Administer permission to use t...