1464 matches found
zap stores credentials in plain text
zap stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in openid allow SSRF
A missing permission check in a form validation method in openid allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
XSS vulnerability in Lockable Resources Plugin
Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting XSS vulnerability. The plugin now properly escapes resource names in its scripts...
SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud
A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as...
Rabbit-MQ Publisher Plugin stored password in plain text
Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...
Sandbox Bypass in Script Security Plugin
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix fo...
Jenkins allowed deserialization of <code>URL</code> objects with host components
Jenkins allowed deserialization of URL objects via Remoting agent communication and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods...
CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery
TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...
CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials
Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...
Unauthorized users could cancel queued builds
The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission...
Server-side request forgery vulnerability in GitHub Branch Source Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport SECURITY-95. Cucumber Living Documentation Plugin disabled this XSS protection until Jenki...
SECURITY-694
Bulletin has no description...
SECURITY-507
Bulletin has no description...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...
Plaintext secrets persisted and served by config.xml endpoints
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...
RCE vulnerability from unvalidated LDAP referrals in ldap
ldap 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadgets" are available on th...
Missing permission check in job-import-plugin allows enumerating credentials IDs
job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...
CSRF vulnerability in github-pullrequest
github-pullrequest 0.7.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trigger a build for a pull request. github-pullrequest 0.7.4 requires POST requests for the affected HTTP...
Unsafe deserialization allows invoking parameterless constructors in matrix-auth
matrix-auth 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to...
XSS vulnerability in github
github 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting XSS vulnerability exploitable by non-anonymous attackers with Overall/Read...
Missing permission check in script-security allows enumerating pending and approved classpaths
script-security 1399.ve6a66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. script-security 1402.v94c9ce464861 requires Overall/Administer permission to...
Build information disclosure vulnerability through Run Parameter
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of build...
Missing permission check in BlazeMeterJenkinsPlugin allows enumerating credentials IDs
BlazeMeterJenkinsPlugin 4.26 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Path traversal vulnerability in pipeline-reporter-by-redpen
pipeline-reporter-by-redpen 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, pipeline-reporter-by-redpen does not support distributed builds, causing artifact uploads to occur from the Jenkins...
Denial of service vulnerability in HTTP-based CLI
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted. This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling...
Replay vulnerability in saml
saml 4.583.vc68232f7018a and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. saml 4.583.585.v22ccc1139f55...
Missing permission checks in mcp-server
mcp-server 0.84.v50ca24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission getJobScm. Attackers with...
CSRF vulnerability and missing permission check in windocks-start-container
windocks-start-container 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF...
Java protection mechanism disabled in eggplant-runner
eggplant-runner 0.0.1.301.v963cffe8ddb8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration. This disables https://www.oracle.com/java/technologies/javase/8u111-relnotes.htmla protection mechanism of the Jav...
Log message injection vulnerability
In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output including jenkins.log and equivalent does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to...
API keys stored in plain text by stackhammer
stackhammer 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of thi...
Missing permission check allows retrieving secrets from agent configurations
Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. NOTE: This is due to an...
Encrypted values of secrets stored in view configuration revealed to users with View/Read permission
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the 2016-05-11...
Open redirect vulnerability
Various features in Jenkins redirect users to partially user-controlled URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins limits redirections to safe URLs neither absolute nor scheme-relative/network-path reference. In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier,...
Bitbucket OAuth access token exposed in the build log by cloudbees-bitbucket-branch-source
cloudbees-bitbucket-branch-source 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. cloudbees-bitbucket-branch-source 887.vad359b3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL i...
Password stored in a recoverable format by oic-auth
oic-auth provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins. In oic-auth 2.6 and earlier the password to that account is stored in a recoverable format. This allows attackers with access to the Jenkins...
CSRF vulnerability in htmlresource allows deleting arbitrary files
htmlresource 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system. As of publication of this advisory, there is no fix...
Information disclosure in cloudbees-folder
cloudbees-folder displays an error message when attempting to access the Scan Organization Folder Log if no logs are available. In cloudbees-folder 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file...
Open redirect vulnerability in openshift-login
openshift-login 1.1.0.227.v27e08dfb1a20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful...
Missing hostname validation in miniorange-saml-sp
miniorange-saml-sp 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. miniorange-saml-sp 2.1.0 performs...
Missing permission checks in codedx
codedx 3.1.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system. codedx 4.0.0 requires Item/Configure permission for this fo...
Stored XSS vulnerability in loadcomplete
loadcomplete 1.0 and earlier does not escape the LoadComplete test name in its test result page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Path traversal vulnerability in sidebar-link
sidebar-link allows specifying files in the userContent/ directory for use as link icons. sidebar-link 2.2.1 and earlier does not restrict the path of files in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an...
Stored XSS vulnerability in pipeline-build-step
pipeline-build-step 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control job names. pipeline-build-step 2.18.1 escapes job names in the...
Password stored in plain text by testquality-updater
testquality-updater 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file com.testquality.jenkins.TestQualityNotifier.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controll...
XXE vulnerability on agents in cccc
cccc 0.6 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish CCCC Report' post-build step to have agent processes parse a crafted file that uses external entities for...
Stored XSS vulnerability in BART
BART 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we...
Remote code execution vulnerability in pipeline-utility-steps
pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.0 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library with t...
API keys stored in plain text by Katalon
Katalon 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Katalon 1.0.33 no longer stores the API...