1464 matches found
XXE vulnerability in valgrind
valgrind 0.28 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins...
Content-Security-Policy protection for user content disabled by ZAP Pipeline
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts. ZAP Pipeline 1.9 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins. Th...
Stored XSS vulnerability in vncrecorder
vncrecorder 1.25 and earlier does not escape a tool path in the checkVncServ form validation endpoint accessed e.g. via job configuration forms. This results in a stored cross-site scripting XSS vulnerability exploitable by Jenkins administrators. vncrecorder 1.35 escapes the tool path...
CSRF vulnerability and improper permission checks in swarm
swarm adds API endpoints to add or remove agent labels. In swarm 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent. Additionally, these API endpoints d...
Complete lack of CSRF protection in selenium can lead to OS command injection
selenium 3.141.59 and earlier has no CSRF protection for its HTTP endpoints. This allows attackers to perform the following actions: Restart the Selenium Grid hub. Delete or replace the plugin configuration. Start, stop, or restart Selenium configurations on specific nodes. Through carefully chos...
CSRF vulnerability in ec2
ec2 1.50.1 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID. ec2 1.50.2 now requires POST requests for the affected HTTP endpoin...
Stored XSS vulnerability in timestamper
timestamper 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds. This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission. timestamper 1.11.2 sanitizes t...
Arbitrary file write vulnerability in cobertura
cobertura 1.15 and earlier does not validate file paths from the XML file it parses. This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system. cobertura 1.16 sanitizes the file paths to prevent escape from the base directory...
CSRF vulnerability and missing permission checks in p4
p4 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Credentials transmitted in plain text by skytap
skytap stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by skytap 2.07 and earlier. These credentials could be viewed by users with Extended Read...
Stored XSS vulnerability in subversion
subversion 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution typically invoked from other plugins li...
Memory usage graphs accessible to anyone with Overall/Read
Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller. Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data...
Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 an...
CSRF vulnerability and missing permission checks in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not require POST...
CSRF vulnerability and missing permission checks in teamconcert allows capturing credentials
teamconcert 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
Stored XSS vulnerability in buildgraph-view
buildgraph-view 1.8 and earlier does not escape the description of builds shown in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description. As of publication of this advisory, there is no fix...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through closure default parameter expressions. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox protecti...
CSRF vulnerability and missing permission checks in libvirt-slave allowed capturing credentials
libvirt-slave does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Users with Overall/Read access could enumerate credential IDs in libvirt-slave
libvirt-slave provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...
cloudtest stores API token in plain text
cloudtest stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...
neoload-jenkins-plugin stored credentials in plain text
neoload-jenkins-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the...
sofy-ai stores API token in plain text
sofy-ai stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...
extensivetesting stores credentials in plain text
extensivetesting stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...
delphix stores credentials in plain text
delphix stores credentials unencrypted in its global configuration file io.jenkins.plugins.delphix.GlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...
dingding-notifications stores credentials in plain text
dingding-notifications stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
ldapemail shows plain text password in configuration form
ldapemail stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting...
XSS vulnerability in Jenkins URL setting
Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. Jenkins now prevents values other than HTTP/HTTPS URLs from being set as...
project-inheritance showed secret environment variables defined in Mask Passwords Plugin
Mask Passwords Plugin allows users to define secret environment variables typically passwords to be passed to builds, both globally, and for specific jobs. These environment variables are expected to not be shown. project-inheritance showed the variable values on its Full Build Flow view and...
gcal stores credentials in plain text
gcal stores a calendar password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
gem-publisher stores credentials in plain text
gem-publisher stores an API key unencrypted in its global configuration file net.arangamani.jenkins.gempublisher.GemPublisher.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
configuration-as-code failed to mask secrets in system log messages
configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. configuration-as-code inspects the type and looks for a field, getter, or constructor argument...
mask-passwords shows plain text passwords in global configuration form fields
mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...
avatar allows changing other users' avatars
avatar does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user's avatar, in addition to their own. As of publication of this advisory, there is no fix...
ec2 leaked beginning of private key in system log
ec2 printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key...
CSRF vulnerability in m2release
m2release did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases. m2release now requires that these requests be sent via POST...
Reflected XSS vulnerability in embeddable-build-status
embeddable-build-status did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability. Arguments are now sanitized...
mashup-portlets-plugin stored credentials in plain text
mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...
CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core
analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...
jira-ext stored credentials in plain text
jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...
fabric-beta-publisher stores credentials in plain text
fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
vmware-vrealize-automation-plugin stores credentials in plain text
vmware-vrealize-automation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in labmanager
A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...
youtrack-plugin stored credentials in plain text
youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...
CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF
A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...
HockeyApp stores credentials in plain text
HockeyApp stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
Repository Connector Plugin stored password in plain text
Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...
ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation
ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...
Arxan MAM Publisher Plugin stored password in plain text
Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...
Sandbox Bypass in Script Security and Pipeline Groovy Plugins
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...