Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•10 views

Token stored and displayed in plain text by sensedia-api-platform

sensedia-api-platform 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

6.5CVSS5.9AI score0.00252EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•10 views

Tokens displayed without masking by zoom

zoom requires Zoom integration tokens for Zoom Build Notifier post-build actions. In zoom 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. zoom 1.6 masks Zoom integration tokens displayed on the job...

3.1CVSS5.2AI score0.00167EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...

4.3CVSS5.1AI score0.00495EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•10 views

Arbitrary file read vulnerability through the CLI can lead to RCE

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature...

9.8CVSS8.7AI score0.99999EPSS
Exploits46Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•10 views

DoS vulnerability in analysis-model-api

analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...

7.5CVSS6.3AI score0.01449EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/09/06 12:0 a.m.•10 views

CSRF vulnerability and missing permission check in aws-codecommit-trigger

aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...

6.5CVSS5.4AI score0.00533EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/07/12 12:0 a.m.•10 views

XXE vulnerability in external-monitor-job

external-monitor-job 206.v9a94ff0b4a10 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from t...

7.1CVSS6.6AI score0.00507EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/05/16 12:0 a.m.•10 views

Stored XSS vulnerability in workflow-job

workflow-job 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set build display...

7.5CVSS5.3AI score0.00586EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/05/16 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in tag-profiler

tag-profiler 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As ...

4.3CVSS4.8AI score0.00425EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/03/21 12:0 a.m.•10 views

Command injection vulnerability in convert-to-pipeline results in RCE

convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...

9.8CVSS7.3AI score0.00779EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/02/15 12:0 a.m.•10 views

Missing permission checks in azure-credentials allow enumerating credentials IDs

azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...

4.3CVSS5.1AI score0.00511EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/02/09 12:0 a.m.•10 views

Git releases with critical vulnerabilities on Jenkins Docker images

The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...

9.8CVSS9.1AI score0.56334EPSS
Exploits0
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/01/24 12:0 a.m.•10 views

Keys stored in plain text by jira-steps

jira-steps 2.0.165.v8846cf59f3db and earlier stores the private key unencrypted in its global configuration file org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller...

5.5CVSS5.6AI score0.00203EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/11/15 12:0 a.m.•10 views

SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration

cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...

7.5CVSS7.2AI score0.00396EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•10 views

Missing permission checks in compuware-scm-downloader

compuware-scm-downloader 2.0.12 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...

6.5CVSS6.4AI score0.00605EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/22 12:0 a.m.•10 views

Agent-to-controller security bypass in xunit

xunit 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain...

9.1CVSS8.6AI score0.01213EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2021/08/31 12:0 a.m.•10 views

XXE vulnerability in nested-view

nested-view 1.20 and earlier does not configure its XML transformer to prevent XML external entity XXE attacks. This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or...

7.1CVSS7.1AI score0.01321EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2021/05/11 12:0 a.m.•10 views

Missing permission check in s3

s3 0.11.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain the list of configured profiles. s3 0.11.7 performs permission checks when providing a list of configured profiles...

4.3CVSS5AI score0.00733EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•10 views

Incorrect permission check in cloudbees-jenkins-advisor

cloudbees-jenkins-advisor 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. cloudbees-jenkins-advisor 3.2.1 requires Overall/Administer to view its administrative...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•10 views

Missing permission check in pipeline-maven allows enumerating credentials IDs

pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

6.5CVSS5.6AI score0.00836EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/05/06 12:0 a.m.•10 views

RCE vulnerability in scm-filter-jervis

scm-filter-jervis 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to configure jobs with the filter, or control the contents of a previously configured job's S...

8.8CVSS8.9AI score0.02282EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/04/07 12:0 a.m.•10 views

XXE vulnerability in code-coverage-api

code-coverage-api 1.1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of...

7.1CVSS6.8AI score0.01067EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/04/07 12:0 a.m.•10 views

XSS vulnerability in usemango-runner

Multiple form validation endpoints in usemango-runner 1.4 and earlier do not escape values received from the useMango service. This results in a cross-site scripting XSS vulnerability exploitable by users able to control the values returned from the useMango service. usemango-runner 1.5 escapes a...

5.4CVSS5.4AI score0.00705EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/03/09 12:0 a.m.•10 views

Missing SSH host key validation in mac

mac 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. mac 1.2.0 validates SSH host keys when connecting to agents...

7.4CVSS7.3AI score0.0057EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/02/12 12:0 a.m.•10 views

Credential stored in plain text by bmc-rpd

bmc-rpd 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/01/15 12:0 a.m.•10 views

Reflected XSS vulnerability in gitlab-hook

gitlab-hook 1.4.2 and earlier does not escape project names in the buildnow endpoint. This results in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...

6.1CVSS5.8AI score0.89434EPSS
Exploits5Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/01/15 12:0 a.m.•10 views

XXE vulnerability in robot

robot 2.0.0 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets fro...

8.8CVSS8.1AI score0.01382EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•10 views

vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation

vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...

8.2CVSS7.7AI score0.00993EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

violation-comments-to-gitlab stored credentials in plain text

violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...

6.5CVSS5.6AI score0.01068EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/12 12:0 a.m.•10 views

aqua-serverless showed plain text password in job configuration form fields

aqua-serverless stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and...

3.1CVSS4.5AI score0.00591EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•10 views

Arbitrary file read vulnerability in filesystem_scm

filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...

6.5CVSS6.5AI score0.0101EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•10 views

Stored XSS vulnerability in build-pipeline-plugin

build-pipeline-plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...

5.4CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•10 views

Stored XSS vulnerability in pegdown-formatter

pegdown-formatter uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting XSS as a feature. pegdown-formatter does not prevent the use of javascript: scheme in URLs for links. This...

5.4CVSS5.3AI score0.0072EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/11 12:0 a.m.•10 views

port-allocator stores credentials in plain text

port-allocator stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

8.8CVSS5.6AI score0.01668EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•10 views

zap stores credentials in plain text

zap stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/06 12:0 a.m.•10 views

Rabbit-MQ Publisher Plugin stored password in plain text

Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

3.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/06 12:0 a.m.•10 views

SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud

A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as...

4.3CVSS5.5AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/01/28 12:0 a.m.•10 views

Sandbox Bypass in Script Security Plugin

Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix fo...

8.8CVSS8.5AI score0.19042EPSS
Exploits3Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/01/28 12:0 a.m.•10 views

GitHub Authentication Plugin showed plain text client secret in configuration form

GitHub Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret...

4.3CVSS4.7AI score0.01131EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/08/15 12:0 a.m.•10 views

Jenkins allowed deserialization of <code>URL</code> objects with host components

Jenkins allowed deserialization of URL objects via Remoting agent communication and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods...

5.3CVSS6.2AI score0.01459EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery

TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...

6.5CVSS6.5AI score0.00862EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/25 12:0 a.m.•10 views

Arbitrary file read vulnerability in SSH Credentials Plugin with Credentials Binding Plugin

SSH Credentials Plugin allowed the creation of SSH credentials with keys "From a file on Jenkins controller". Credentials Binding Plugin 1.13 and newer allows binding SSH credentials to environment variables. In combination, these two features allow users with the permission to configure a job to...

6.5CVSS6.5AI score0.01013EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•10 views

Server-side request forgery vulnerability in GitHub Branch Source Plugin

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...

5CVSS5.1AI score0.00642EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•10 views

Perforce Plugin credentials can be obtained by users with Job/Extended Read permission

Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations. Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins,...

6.5CVSS6.3AI score0.00858EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•10 views

Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport SECURITY-95. Cucumber Living Documentation Plugin disabled this XSS protection until Jenki...

6.1CVSS5.9AI score0.00861EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/26 12:0 a.m.•10 views

Environment Injector Plugin before 1.91 stored sensitive build variables

EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 released on Mar 08, 2015 however did not exempt sensitive variables...

3.1CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/05 12:0 a.m.•10 views

SECURITY-659

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/05 12:0 a.m.•10 views

SECURITY-521

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/10 12:0 a.m.•9 views

Stored XSS vulnerability in node offline cause description

Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...

8CVSS4.9AI score0.00261EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/05/27 12:0 a.m.•9 views

Missing permission check in jenkinsci-appspider-plugin allows sending requests

jenkinsci-appspider-plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. jenkinsci-appspider-plugin 1.0.18 requires Overall/Administer permission to use t...

4.3CVSS5.2AI score0.00187EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464