1464 matches found
Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 an...
Stored XSS vulnerability in pipeline-aggregator-view
pipeline-aggregator-view 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names. This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the...
rundeck stored credentials in plain text
rundeck 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission in the case of job config.xml files or acce...
CSRF vulnerability and missing permission checks in rapiddeploy-jenkins allow SSRF
rapiddeploy-jenkins 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server. Additionally, these form validation methods do not require POST...
SSL/TLS certificate validation globally and unconditionally disabled by inflectra-spira-integration
inflectra-spira-integration 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. inflectra-spira-integration 3.2.4 no longer disables SSL/TLS certificate validation...
CSRF vulnerability and missing permission checks in teamconcert allows capturing credentials
teamconcert 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
weibo stores credentials in plain text
weibo 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is ...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through closure default parameter expressions. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox protecti...
Folder-scoped Jira sites in jira were able to access System-scoped credentials
jira allows the definition of per-folder Jira sites. The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder t...
vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation
vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...
cloudtest stores API token in plain text
cloudtest stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...
ldapemail shows plain text password in configuration form
ldapemail stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting...
XSS vulnerability in Jenkins URL setting
Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. Jenkins now prevents values other than HTTP/HTTPS URLs from being set as...
aqua-microscanner showed plain text credential in configuration form
aqua-microscanner stores a token credential in its global Jenkins configuration. While the token is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the token through browser extensions, cross-site scripting...
violation-comments-to-gitlab stored credentials in plain text
violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...
Script sandbox bypass vulnerability in Kubernetes Pipeline - Arquillian Steps Plugin
Kubernetes Pipeline - Arquillian Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...
gcal stores credentials in plain text
gcal stores a calendar password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
gem-publisher stores credentials in plain text
gem-publisher stores an API key unencrypted in its global configuration file net.arangamani.jenkins.gempublisher.GemPublisher.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in filesystem_scm
filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...
CSRF vulnerability in m2release
m2release did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases. m2release now requires that these requests be sent via POST...
configuration-as-code evaluated variable references when importing a previously exported configuration
configuration-as-code allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references e.g. $VARIABLENAME in the configuration YAML file. These will be...
ec2 leaked beginning of private key in system log
ec2 printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key...
CSRF vulnerability and missing permission check in openid allow SSRF
A missing permission check in a form validation method in openid allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
Repository Connector Plugin stored password in plain text
Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...
Sandbox Bypass in Script Security Plugin
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix fo...
Crowd 2 Integration Plugin stored credentials in plain text
Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk an...
CSRF vulnerability and missing permission checks in MQ Notifier Plugin
Users with Overall/Read permission were able to access MQ Notifier Plugin's form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability. The...
Publish Over Dropbox Plugin stored credentials in plain text
Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system. Additionally, the authorization code was not masked from view usi...
XML External Entity Processing Vulnerability in Monitoring Plugin
The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity XXE processing vulnerability. This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks...
CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin
Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host. Additionally, this form validation method did not require POST requests, resultin...
CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery
TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...
CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials
Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...
Unauthorized users could cancel queued builds
The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission...
Server-side request forgery vulnerability in GitHub Branch Source Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport SECURITY-95. Cucumber Living Documentation Plugin disabled this XSS protection until Jenki...
GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml
GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects...
SECURITY-507
Bulletin has no description...
SECURITY-694
Bulletin has no description...
Plaintext secrets persisted and served by config.xml endpoints
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...
RCE vulnerability from unvalidated LDAP referrals in ldap
ldap 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadgets" are available on th...
Missing permission check in job-import-plugin allows enumerating credentials IDs
job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...
Missing permission check in script-security allows enumerating pending and approved classpaths
script-security 1399.ve6a66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. script-security 1402.v94c9ce464861 requires Overall/Administer permission to...
XSS vulnerability in github
github 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting XSS vulnerability exploitable by non-anonymous attackers with Overall/Read...
Build information disclosure vulnerability through Run Parameter
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of build...
Path traversal vulnerability in pipeline-reporter-by-redpen
pipeline-reporter-by-redpen 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, pipeline-reporter-by-redpen does not support distributed builds, causing artifact uploads to occur from the Jenkins...
Denial of service vulnerability in HTTP-based CLI
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted. This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling...
Replay vulnerability in saml
saml 4.583.vc68232f7018a and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. saml 4.583.585.v22ccc1139f55...
Java protection mechanism disabled in eggplant-runner
eggplant-runner 0.0.1.301.v963cffe8ddb8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration. This disables https://www.oracle.com/java/technologies/javase/8u111-relnotes.htmla protection mechanism of the Jav...
Missing permission checks in mcp-server
mcp-server 0.84.v50ca24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission getJobScm. Attackers with...