1464 matches found
Missing hostname validation in miniorange-saml-sp
miniorange-saml-sp 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. miniorange-saml-sp 2.1.0 performs...
Stored XSS vulnerability in workflow-job
workflow-job 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set build display...
Command injection vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...
Missing permission checks in azure-credentials allow enumerating credentials IDs
azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
Git releases with critical vulnerabilities on Jenkins Docker images
The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...
Password stored in plain text by testquality-updater
testquality-updater 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file com.testquality.jenkins.TestQualityNotifier.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controll...
Stored XSS vulnerability in BART
BART 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we...
Remote code execution vulnerability in pipeline-utility-steps
pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.0 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library with t...
SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...
CSRF vulnerability in Katalon allows capturing credentials
Katalon 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...
API keys stored in plain text by Katalon
Katalon 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Katalon 1.0.33 no longer stores the API...
XXE vulnerability in rqm-plugin
rqm-plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets fro...
Improper masking of credentials in git
git 4.11.4 and earlier does not properly mask i.e., replace with asterisks credentials in the build log provided by the Git Username and Password gitUsernamePassword credentials binding. Usernames are masked instead of passwords in cases when usernames are not set to be treated as secret. git...
Passwords stored in plain text by http_request
httprequest 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.httprequest.HttpRequest.xml on the Jenkins controller as part of its configuration when using deprecated Basic/Digest Authentication. These passwords can be viewed by users with...
Missing permission checks in compuware-scm-downloader
compuware-scm-downloader 2.0.12 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Arbitrary file write vulnerability in pipeline-input-step
pipeline-input-step 448.v37cea9a10a70 and earlier allows Pipeline authors to specify file parameters for Pipeline input steps even though they are unsupported. Although the uploaded file is not copied to the workspace, Jenkins archives the file on the controller as part of build metadata using th...
Unauthorized view fragment access
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access ...
Passwords stored in plain text by convertigo-mobile-platform
convertigo-mobile-platform 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...
CSRF vulnerability and missing permission checks in publish-over-ftp
publish-over-ftp 1.16 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. Additionally, these form validation methods do not require POST...
Stored XSS vulnerability in dashboard-view
dashboard-view 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views. dashboard-view 2.18.1 performs URL validation for the Iframe Portlet's Ifra...
Stored XSS vulnerability in extended-choice-parameter
extended-choice-parameter 346.vd87693c5a86c and earlier does not escape the value and description of Extended Choice Parameters with parameter type 'Radio Buttons' or 'Check Boxes'. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
CSRF vulnerability and missing permission check in autonomiq
autonomiq 1.15 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting...
XXE vulnerability in valgrind
valgrind 0.28 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins...
Stored XSS vulnerability in vmanager-plugin
vmanager-plugin 3.0.4 and earlier does not escape build descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Run/Update permission. vmanager-plugin 3.0.5 removes affected tooltips...
Stored XSS vulnerability in vncrecorder
vncrecorder 1.25 and earlier does not escape a tool path in the checkVncServ form validation endpoint accessed e.g. via job configuration forms. This results in a stored cross-site scripting XSS vulnerability exploitable by Jenkins administrators. vncrecorder 1.35 escapes the tool path...
Content-Security-Policy protection for user content disabled by ZAP Pipeline
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts. ZAP Pipeline 1.9 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins. Th...
CSRF vulnerability and improper permission checks in swarm
swarm adds API endpoints to add or remove agent labels. In swarm 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent. Additionally, these API endpoints d...
CSRF vulnerability in ec2
ec2 1.50.1 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID. ec2 1.50.2 now requires POST requests for the affected HTTP endpoin...
XSS vulnerability in usemango-runner
Multiple form validation endpoints in usemango-runner 1.4 and earlier do not escape values received from the useMango service. This results in a cross-site scripting XSS vulnerability exploitable by users able to control the values returned from the useMango service. usemango-runner 1.5 escapes a...
Credentials transmitted in plain text by skytap
skytap stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by skytap 2.07 and earlier. These credentials could be viewed by users with Extended Read...
CSRF vulnerability and missing permission checks in p4
p4 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Stored XSS vulnerability in subversion
subversion 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines...
Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 an...
Memory usage graphs accessible to anyone with Overall/Read
Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller. Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data...
CSRF vulnerability and missing permission checks in teamconcert allows capturing credentials
teamconcert 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
Stored XSS vulnerability in pipeline-aggregator-view
pipeline-aggregator-view 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names. This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through closure default parameter expressions. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox protecti...
cloudtest stores API token in plain text
cloudtest stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...
vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation
vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...
ldapemail shows plain text password in configuration form
ldapemail stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting...
Script sandbox bypass vulnerability in Kubernetes Pipeline - Arquillian Steps Plugin
Kubernetes Pipeline - Arquillian Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...
gem-publisher stores credentials in plain text
gem-publisher stores an API key unencrypted in its global configuration file net.arangamani.jenkins.gempublisher.GemPublisher.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
XSS vulnerability in Jenkins URL setting
Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. Jenkins now prevents values other than HTTP/HTTPS URLs from being set as...
aqua-microscanner showed plain text credential in configuration form
aqua-microscanner stores a token credential in its global Jenkins configuration. While the token is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the token through browser extensions, cross-site scripting...
violation-comments-to-gitlab stored credentials in plain text
violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...
gcal stores credentials in plain text
gcal stores a calendar password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in filesystem_scm
filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...
configuration-as-code evaluated variable references when importing a previously exported configuration
configuration-as-code allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references e.g. $VARIABLENAME in the configuration YAML file. These will be...
ec2 leaked beginning of private key in system log
ec2 printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key...
CSRF vulnerability in m2release
m2release did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases. m2release now requires that these requests be sent via POST...