Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/01/29 12:0 a.m.•10 views

Diagnostic page exposed session cookies

Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 an...

5.4CVSS5.3AI score0.07044EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•10 views

Stored XSS vulnerability in pipeline-aggregator-view

pipeline-aggregator-view 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names. This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the...

5.4CVSS5.4AI score0.00688EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•10 views

rundeck stored credentials in plain text

rundeck 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission in the case of job config.xml files or acce...

6.5CVSS6.4AI score0.00852EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in rapiddeploy-jenkins allow SSRF

rapiddeploy-jenkins 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server. Additionally, these form validation methods do not require POST...

8.8CVSS5.6AI score0.00714EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•10 views

SSL/TLS certificate validation globally and unconditionally disabled by inflectra-spira-integration

inflectra-spira-integration 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. inflectra-spira-integration 3.2.4 no longer disables SSL/TLS certificate validation...

8.2CVSS7.7AI score0.00592EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in teamconcert allows capturing credentials

teamconcert 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...

8.8CVSS6.9AI score0.00798EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•10 views

weibo stores credentials in plain text

weibo 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is ...

5.5CVSS5.1AI score0.0033EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/11/21 12:0 a.m.•10 views

Sandbox bypass vulnerability in script-security

Sandbox protection in script-security could be circumvented through closure default parameter expressions. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox protecti...

8.8CVSS8.4AI score0.01428EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/11/21 12:0 a.m.•10 views

Folder-scoped Jira sites in jira were able to access System-scoped credentials

jira allows the definition of per-folder Jira sites. The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder t...

9.9CVSS7.5AI score0.01647EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•10 views

vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation

vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...

8.2CVSS7.7AI score0.00993EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•10 views

cloudtest stores API token in plain text

cloudtest stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

4.3CVSS5.1AI score0.00469EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/01 12:0 a.m.•10 views

ldapemail shows plain text password in configuration form

ldapemail stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting...

7.5CVSS6.9AI score0.00887EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

XSS vulnerability in Jenkins URL setting

Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. Jenkins now prevents values other than HTTP/HTTPS URLs from being set as...

4.8CVSS4.9AI score0.00992EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

aqua-microscanner showed plain text credential in configuration form

aqua-microscanner stores a token credential in its global Jenkins configuration. While the token is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the token through browser extensions, cross-site scripting...

5.3CVSS5.4AI score0.00771EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

violation-comments-to-gitlab stored credentials in plain text

violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...

6.5CVSS5.6AI score0.01068EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

Script sandbox bypass vulnerability in Kubernetes Pipeline - Arquillian Steps Plugin

Kubernetes Pipeline - Arquillian Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...

9.9CVSS9AI score0.01205EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

gcal stores credentials in plain text

gcal stores a calendar password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

6.5CVSS5.6AI score0.01001EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

gem-publisher stores credentials in plain text

gem-publisher stores an API key unencrypted in its global configuration file net.arangamani.jenkins.gempublisher.GemPublisher.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

5.5CVSS5.7AI score0.00341EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•10 views

Arbitrary file read vulnerability in filesystem_scm

filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...

6.5CVSS6.5AI score0.0101EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/31 12:0 a.m.•10 views

CSRF vulnerability in m2release

m2release did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases. m2release now requires that these requests be sent via POST...

6.8CVSS6.3AI score0.00607EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/31 12:0 a.m.•10 views

configuration-as-code evaluated variable references when importing a previously exported configuration

configuration-as-code allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references e.g. $VARIABLENAME in the configuration YAML file. These will be...

5.5CVSS5.7AI score0.00737EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/31 12:0 a.m.•10 views

ec2 leaked beginning of private key in system log

ec2 printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key...

5.5CVSS5.6AI score0.00337EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•10 views

CSRF vulnerability and missing permission check in openid allow SSRF

A missing permission check in a form validation method in openid allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

6.5CVSS6.3AI score0.01549EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/06 12:0 a.m.•10 views

Repository Connector Plugin stored password in plain text

Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

7.8CVSS6.3AI score0.00393EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/01/28 12:0 a.m.•10 views

Sandbox Bypass in Script Security Plugin

Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix fo...

8.8CVSS8.5AI score0.19042EPSS
Exploits3Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/09/25 12:0 a.m.•10 views

Crowd 2 Integration Plugin stored credentials in plain text

Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk an...

7.8CVSS7.4AI score0.00311EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/09/25 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in MQ Notifier Plugin

Users with Overall/Read permission were able to access MQ Notifier Plugin's form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability. The...

4.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/09/25 12:0 a.m.•10 views

Publish Over Dropbox Plugin stored credentials in plain text

Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system. Additionally, the authorization code was not masked from view usi...

3.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/09/25 12:0 a.m.•10 views

XML External Entity Processing Vulnerability in Monitoring Plugin

The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity XXE processing vulnerability. This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks...

9.8CVSS8.4AI score0.27873EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin

Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host. Additionally, this form validation method did not require POST requests, resultin...

4.9CVSS5AI score0.00483EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery

TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...

6.5CVSS6.5AI score0.00862EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials

Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...

8.8CVSS8.1AI score0.01119EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/18 12:0 a.m.•10 views

Unauthorized users could cancel queued builds

The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission...

4.3CVSS5.5AI score0.00759EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•10 views

Server-side request forgery vulnerability in GitHub Branch Source Plugin

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...

5CVSS5.1AI score0.00642EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•10 views

Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport SECURITY-95. Cucumber Living Documentation Plugin disabled this XSS protection until Jenki...

6.1CVSS5.9AI score0.00861EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•10 views

GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml

GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects...

7.8CVSS6.3AI score0.00376EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•10 views

SECURITY-507

Bulletin has no description...

3.1CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•10 views

SECURITY-694

Bulletin has no description...

4.8CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/10 12:0 a.m.•9 views

Plaintext secrets persisted and served by config.xml endpoints

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...

5.3CVSS5.2AI score0.0019EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/10 12:0 a.m.•9 views

Stored XSS vulnerability in node offline cause description

Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...

8CVSS4.9AI score0.00261EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/05/27 12:0 a.m.•9 views

RCE vulnerability from unvalidated LDAP referrals in ldap

ldap 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadgets" are available on th...

6.6CVSS6AI score0.00285EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/05/27 12:0 a.m.•9 views

Missing permission check in job-import-plugin allows enumerating credentials IDs

job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...

4.3CVSS5.2AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/04/29 12:0 a.m.•9 views

Missing permission check in script-security allows enumerating pending and approved classpaths

script-security 1399.ve6a66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. script-security 1402.v94c9ce464861 requires Overall/Administer permission to...

4.3CVSS5.2AI score0.00174EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/04/29 12:0 a.m.•9 views

XSS vulnerability in github

github 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting XSS vulnerability exploitable by non-anonymous attackers with Overall/Read...

9CVSS5.4AI score0.00281EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/02/18 12:0 a.m.•9 views

Build information disclosure vulnerability through Run Parameter

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of build...

4.3CVSS7.8AI score0.00333EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•9 views

Path traversal vulnerability in pipeline-reporter-by-redpen

pipeline-reporter-by-redpen 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, pipeline-reporter-by-redpen does not support distributed builds, causing artifact uploads to occur from the Jenkins...

4.3CVSS5.2AI score0.00301EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•9 views

Denial of service vulnerability in HTTP-based CLI

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted. This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling...

7.5CVSS7.6AI score0.00515EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•9 views

Replay vulnerability in saml

saml 4.583.vc68232f7018a and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. saml 4.583.585.v22ccc1139f55...

7.5CVSS5.2AI score0.00387EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•9 views

Java protection mechanism disabled in eggplant-runner

eggplant-runner 0.0.1.301.v963cffe8ddb8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration. This disables https://www.oracle.com/java/technologies/javase/8u111-relnotes.htmla protection mechanism of the Jav...

5.9CVSS7.2AI score0.03937EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•9 views

Missing permission checks in mcp-server

mcp-server 0.84.v50ca24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission getJobScm. Attackers with...

5.4CVSS5.2AI score0.00239EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464