Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/07/11 12:0 a.m.โ€ข9 views

mashup-portlets-plugin stored credentials in plain text

mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...

8.8CVSS8AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/30 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core

analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...

6.5CVSS5.7AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/17 12:0 a.m.โ€ข9 views

jira-ext stored credentials in plain text

jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...

8.8CVSS8AI score0.01373EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/03 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission check in labmanager

A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/03 12:0 a.m.โ€ข9 views

youtrack-plugin stored credentials in plain text

youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/03 12:0 a.m.โ€ข9 views

HockeyApp stores credentials in plain text

HockeyApp stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/25 12:0 a.m.โ€ข9 views

XSS vulnerability in Lockable Resources Plugin

Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting XSS vulnerability. The plugin now properly escapes resource names in its scripts...

5.4CVSS6AI score0.01397EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/06 12:0 a.m.โ€ข9 views

Repository Connector Plugin stored password in plain text

Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

7.8CVSS6.3AI score0.00393EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/02/19 12:0 a.m.โ€ข9 views

Arxan MAM Publisher Plugin stored password in plain text

Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/02/19 12:0 a.m.โ€ข9 views

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...

6.5CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/09/25 12:0 a.m.โ€ข9 views

Publish Over Dropbox Plugin stored credentials in plain text

Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system. Additionally, the authorization code was not masked from view usi...

3.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/09/25 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission checks in MQ Notifier Plugin

Users with Overall/Read permission were able to access MQ Notifier Plugin's form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability. The...

4.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/07/30 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials

Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...

8.8CVSS8.1AI score0.01119EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/07/30 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin

Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host. Additionally, this form validation method did not require POST requests, resultin...

4.9CVSS5AI score0.00483EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/07/18 12:0 a.m.โ€ข9 views

Unauthorized users could cancel queued builds

The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission...

4.3CVSS5.5AI score0.00759EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/06/25 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials

Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

8.8CVSS8.1AI score0.01037EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/06/04 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission checks in AbsInt Astrรฉe Plugin allowed launching programs on the Jenkins controller

AbsInt Astrรฉe Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...

8.8CVSS8AI score0.02021EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/06/04 12:0 a.m.โ€ข9 views

Server-side request forgery vulnerability in GitHub Plugin

A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request's HTTP response code indicates success, the form validation is returning...

6.4CVSS5.9AI score0.00608EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/06/04 12:0 a.m.โ€ข9 views

Kubernetes Plugin printed sensitive build variables to logs

Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry. The plugin now applies masking of sensitive build variables to these pipeline steps...

6.5CVSS6.4AI score0.01268EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/06/04 12:0 a.m.โ€ข9 views

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...

6.5CVSS6.5AI score0.00988EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/04/16 12:0 a.m.โ€ข9 views

Stored XSS vulnerability in S3 Publisher Plugin

S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...

5.4CVSS5.3AI score0.00673EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/04/16 12:0 a.m.โ€ข9 views

Session fixation vulnerability in Google Login Plugin

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...

6.5CVSS6AI score0.01653EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/01/22 12:0 a.m.โ€ข9 views

SECURITY-507

Bulletin has no description...

3.1CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/01/22 12:0 a.m.โ€ข9 views

SECURITY-694

Bulletin has no description...

4.8CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

OS command injection vulnerability on agents in git-client

git-client 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification strategy on Unix agents. This allows attackers able to control the name of a build's working...

5CVSS6.1AI score0.00207EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

Path traversal vulnerability in external-workspace-manager

external-workspace-manager 1.3.2 and earlier does not reject .. path segments when validating the custom workspace path provided to the exwsAllocate Pipeline step, allowing the resulting workspace path to escape the configured disk mount point. This allows attackers with Item/Configure permission...

8.8CVSS6.7AI score0.00595EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

Missing permission check in git-parameter allows listing SCM branch and tag names

git-parameter 462.vdcf3df2ed2ca and earlier does not perform a permission check in an HTTP endpoint that populates the list of values for Git parameters by querying the SCM configured on a job, using the SCM credentials configured in Jenkins. This allows attackers with Item/Read permission to...

4.3CVSS5.9AI score0.00216EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

CSRF vulnerability in PrioritySorter

PrioritySorter 936.v2c01c6b84449 and earlier does not require POST requests in an HTTP endpoint that saves the global job priority configuration. This allows attackers to overwrite the global job priority configuration. PrioritySorter 936.937.v5581d0b2ccba requires POST requests for the affected...

4.3CVSS5.9AI score0.00152EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข8 views

Plaintext secrets persisted and served by config.xml endpoints

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...

5.3CVSS5.2AI score0.0019EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข8 views

Missing permission check in job-import-plugin allows enumerating credentials IDs

job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...

4.3CVSS5.2AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข8 views

Missing permission check in github-branch-source allows performing a connection test

github-branch-source 1967.vdead580c1aba and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. github-branch-source...

4.3CVSS5.2AI score0.00184EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/03/18 12:0 a.m.โ€ข8 views

DNS rebinding vulnerability in WebSocket CLI origin validation

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...

7.5CVSS6.1AI score0.00297EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/12/10 12:0 a.m.โ€ข8 views

Path traversal vulnerability in pipeline-reporter-by-redpen

pipeline-reporter-by-redpen 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, pipeline-reporter-by-redpen does not support distributed builds, causing artifact uploads to occur from the Jenkins...

4.3CVSS5.2AI score0.00301EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/12/10 12:0 a.m.โ€ข8 views

Exposure of system-scoped Vault credentials in hashicorp-vault-plugin

hashicorp-vault-plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially...

4.3CVSS5.2AI score0.00202EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/12/10 12:0 a.m.โ€ข8 views

Build authorization token stored and displayed in plain text

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS7.6AI score0.00159EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/12/10 12:0 a.m.โ€ข8 views

CSRF vulnerability on the login form

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery CSRF token crumb for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trick users into logging in ...

3.5CVSS7.5AI score0.0016EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/10/29 12:0 a.m.โ€ข8 views

API tokens stored in plain text by byteguard-build-actions

byteguard-build-actions 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5.3AI score0.00158EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/10/29 12:0 a.m.โ€ข8 views

XXE vulnerability in jdepend

jdepend 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses extern...

7.1CVSS5.4AI score0.0032EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/07/09 12:0 a.m.โ€ข8 views

API Auth keys stored and displayed in plain text by vaddy-plugin

vaddy-plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

6.5CVSS5.6AI score0.00218EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/07/09 12:0 a.m.โ€ข8 views

API key stored in plain text by kryptowire

kryptowire 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. ...

6.5CVSS6.4AI score0.00259EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/07/09 12:0 a.m.โ€ข8 views

Passwords stored in plain text by warrior

warrior 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there...

6.5CVSS6.4AI score0.00291EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/06/06 12:0 a.m.โ€ข8 views

XSS vulnerability in gatling

gatling 136.vb9009b3d33ae serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting XSS vulnerability exploitable by users able to change report content. As of publication of this advisor...

8CVSS4.9AI score0.00444EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/03/19 12:0 a.m.โ€ข8 views

API key displayed without masking by zohoqengine

zohoqengine stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in zohoqengine 1.0.29.vfacc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing th...

3.1CVSS5.2AI score0.00261EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/11/13 12:0 a.m.โ€ข8 views

Missing permission check in script-security

script-security 1367.vdf2fc45f229c and earlier, except 1365.1367.va3bb89f8a95b and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files on the controller file...

4.3CVSS5AI score0.0036EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/05/24 12:0 a.m.โ€ข8 views

Path traversal vulnerability in report-info

report-info 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, report-info does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire...

4.3CVSS5.1AI score0.00831EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/05/24 12:0 a.m.โ€ข8 views

Stored XSS vulnerability in teamconcert-git

teamconcert-git 2.0.4 and earlier does not escape the Rational Team Concert RTC server URI on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. teamconcert-git 2.0.5 escapes the Rational Team Conce...

8CVSS4.9AI score0.00327EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/01/24 12:0 a.m.โ€ข8 views

CSRF vulnerability in gitlab-branch-source

gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. gitlab-branch-source 688.v5fa356ee8520...

4.3CVSS4.9AI score0.00323EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/01/24 12:0 a.m.โ€ข8 views

Stored XSS vulnerability in qualys-pc

qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuratio...

8CVSS5.3AI score0.00458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/12/13 12:0 a.m.โ€ข8 views

Tokens stored and displayed in plain text by dingding-json-pusher

dingding-json-pusher 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5AI score0.00347EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/12/13 12:0 a.m.โ€ข8 views

CSRF vulnerability in htmlresource allows deleting arbitrary files

htmlresource 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system. As of publication of this advisory, there is no fix...

8.8CVSS7.8AI score0.00493EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464