1464 matches found
Build information disclosure vulnerability through Run Parameter
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of build...
Denial of service vulnerability in HTTP-based CLI
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted. This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling...
Path traversal vulnerability in pipeline-reporter-by-redpen
pipeline-reporter-by-redpen 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, pipeline-reporter-by-redpen does not support distributed builds, causing artifact uploads to occur from the Jenkins...
Replay vulnerability in saml
saml 4.583.vc68232f7018a and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. saml 4.583.585.v22ccc1139f55...
Java protection mechanism disabled in eggplant-runner
eggplant-runner 0.0.1.301.v963cffe8ddb8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration. This disables https://www.oracle.com/java/technologies/javase/8u111-relnotes.htmla protection mechanism of the Jav...
Missing permission checks in mcp-server
mcp-server 0.84.v50ca24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission getJobScm. Attackers with...
CSRF vulnerability and missing permission check in windocks-start-container
windocks-start-container 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF...
Log message injection vulnerability
In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output including jenkins.log and equivalent does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to...
Missing permission check allows retrieving secrets from agent configurations
Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. NOTE: This is due to an...
API keys stored in plain text by stackhammer
stackhammer 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of thi...
Open redirect vulnerability
Various features in Jenkins redirect users to partially user-controlled URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins limits redirections to safe URLs neither absolute nor scheme-relative/network-path reference. In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier,...
CSRF vulnerability in htmlresource allows deleting arbitrary files
htmlresource 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system. As of publication of this advisory, there is no fix...
Password stored in a recoverable format by oic-auth
oic-auth provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins. In oic-auth 2.6 and earlier the password to that account is stored in a recoverable format. This allows attackers with access to the Jenkins...
Stored XSS vulnerability in github
github 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. github 1.37.3.1 escapes GitHub project URL on the build page when showi...
Disabled permissions can be granted by ssh2easy
ssh2easy 1.4 and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted typically optional permissions, like Overall/Manage to access functionality they're no longer entitled to. NOTE: As a workaround, administrators can save the...
Information disclosure in cloudbees-folder
cloudbees-folder displays an error message when attempting to access the Scan Organization Folder Log if no logs are available. In cloudbees-folder 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file...
Stored XSS vulnerability in shortcut-job
shortcut-job 0.4 and earlier does not escape the shortcut redirection URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure shortcut jobs. shortcut-job 0.5 escapes the shortcut redirection URL...
Arbitrary file read vulnerability in aws-codecommit-trigger
aws-codecommit-trigger allows downloading activity logs of AWS Simple Queue Service SQS queues. aws-codecommit-trigger 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of...
SSL/TLS certificate validation unconditionally disabled by miniorange-saml-sp
miniorange-saml-sp 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. miniorange-saml-sp...
Missing permission checks in codedx
codedx 3.1.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system. codedx 4.0.0 requires Item/Configure permission for this fo...
Stored XSS vulnerability in loadcomplete
loadcomplete 1.0 and earlier does not escape the LoadComplete test name in its test result page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Lack of authentication mechanism in assembla-merge-request-builder webhook
assembla-merge-request-builder provides a webhook endpoint at /assembla-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In assembla-merge-request-builder 1.1.13 and earlier, this endpoint can be accessed without authentication. This allows...
XXE vulnerability in perfpublisher
perfpublisher 8.09 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
Stored XSS vulnerability in pipeline-build-step
pipeline-build-step 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control job names. pipeline-build-step 2.18.1 escapes job names in the...
CSRF vulnerability and missing permission checks in ghprb
ghprb 1.42.2 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Improper credentials masking in gitea
gitea support authentication with Gitea personal access tokens. In gitea 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs. gitea 1.4.5 adds suppor...
XXE vulnerability on agents in cccc
cccc 0.6 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish CCCC Report' post-build step to have agent processes parse a crafted file that uses external entities for...
Missing permission check in job-import-plugin allows enumerating credentials IDs
job-import-plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerabilit...
AWS secrets displayed without masking by s3explorer
s3explorer stores AWSSECRETACCESSKEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration. While this secret is stored encrypted on disk, in s3explorer 1.0.8 and earlier the global configuration form does not mask the AWSSECRETACCESSKEY form field...
CSRF vulnerability in Katalon allows capturing credentials
Katalon 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...
Lack of webhook authentication mechanism in tuleap-git-branch-source
tuleap-git-branch-source provides a webhook endpoint at /tuleap-hook/ that can be used to trigger Tuleap projects configured with a specified repository. In tuleap-git-branch-source 3.2.4 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to...
Content-Security-Policy protection for user content can be disabled in 360 FireLine
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. 360 FireLine 1.7.2 and earlier globally disables the Content-Security-Policy...
CSRF protection for any URL can be bypassed in pipeline-stage-view
pipeline-stage-view provides a visualization of Pipeline builds. It also allows users to interact with input steps from Pipeline: Input Step Plugin. pipeline-stage-view 2.26 and earlier does not correctly encode the ID of input steps when using it to generate URLs to proceed or abort Pipeline...
Stored XSS vulnerability in contrast-continuous-application-security
contrast-continuous-application-security 3.9 and earlier does not escape data returned from the Contrast service when generating a report. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control or modify Contrast service API responses...
Agent-to-controller security bypass in wildfly-deployer allows reading arbitrary files
wildfly-deployer 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. NOTE: This vulnerability is...
Missing permission check in extreme-feedback
extreme-feedback 1.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. As of publication of this...
XXE vulnerability in rqm-plugin
rqm-plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets fro...
Passwords stored in plain text by http_request
httprequest 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.httprequest.HttpRequest.xml on the Jenkins controller as part of its configuration when using deprecated Basic/Digest Authentication. These passwords can be viewed by users with...
CSRF vulnerability and missing permission checks in openstack-heat
openstack-heat 1.5 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these form validation methods do not require POST requests, resulting in a cross-sit...
Password stored in plain text by rqm-plugin
rqm-plugin 2.8 and earlier stores a password unencrypted in its global configuration file net.praqma.jenkins.rqm.RqmBuilder.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this...
Password stored in plain text by skype-notifier
skype-notifier 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As o...
Unauthorized view fragment access
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access ...
Arbitrary file write vulnerability in pipeline-input-step
pipeline-input-step 448.v37cea9a10a70 and earlier allows Pipeline authors to specify file parameters for Pipeline input steps even though they are unsupported. Although the uploaded file is not copied to the workspace, Jenkins archives the file on the controller as part of build metadata using th...
Passwords stored in plain text by convertigo-mobile-platform
convertigo-mobile-platform 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...
CSRF vulnerability and missing permission checks in publish-over-ftp
publish-over-ftp 1.16 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. Additionally, these form validation methods do not require POST...
Arbitrary JSON and property file read vulnerability in extended-choice-parameter
extended-choice-parameter 346.vd87693c5a86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in extended-choice-parameter
extended-choice-parameter 346.vd87693c5a86c and earlier does not escape the value and description of Extended Choice Parameters with parameter type 'Radio Buttons' or 'Check Boxes'. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
Stored XSS vulnerability in dashboard-view
dashboard-view 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views. dashboard-view 2.18.1 performs URL validation for the Iframe Portlet's Ifra...
CSRF vulnerability and missing permission check in autonomiq
autonomiq 1.15 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting...