Lucene search
K
JenkinsMost viewed

1464 matches found

jenkins
jenkins
•added 2019/11/21 12:0 a.m.•9 views

Folder-scoped Jira sites in jira were able to access System-scoped credentials

jira allows the definition of per-folder Jira sites. The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder t...

9.9CVSS7.5AI score0.01647EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/23 12:0 a.m.•9 views

zulip stored credentials in plain text

zulip stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins...

7.8CVSS7.3AI score0.00333EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/23 12:0 a.m.•9 views

Users with Overall/Read access could enumerate credential IDs in libvirt-slave

libvirt-slave provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...

4.3CVSS5.1AI score0.00678EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/23 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in libvirt-slave allowed capturing credentials

libvirt-slave does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

8.8CVSS7AI score0.00836EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/16 12:0 a.m.•9 views

delphix stores credentials in plain text

delphix stores credentials unencrypted in its global configuration file io.jenkins.plugins.delphix.GlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

7.8CVSS7.3AI score0.0027EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/16 12:0 a.m.•9 views

neoload-jenkins-plugin stored credentials in plain text

neoload-jenkins-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the...

8.8CVSS6.2AI score0.01486EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/16 12:0 a.m.•9 views

extensivetesting stores credentials in plain text

extensivetesting stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

8.8CVSS7.9AI score0.00897EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/16 12:0 a.m.•9 views

sofy-ai stores API token in plain text

sofy-ai stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

4.3CVSS5.1AI score0.00511EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/01 12:0 a.m.•9 views

Stored XSS vulnerability in htmlpublisher

htmlpublisher did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission. htmlpublish...

5.4CVSS6.5AI score0.01177EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/01 12:0 a.m.•9 views

vault-scm-plugin shows plain text password in configuration form

vault-scm-plugin stores an SCM password in job configurations. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and simil...

7.5CVSS7AI score0.00887EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/10/01 12:0 a.m.•9 views

dingding-notifications stores credentials in plain text

dingding-notifications stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

3.3CVSS5.1AI score0.00409EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/09/25 12:0 a.m.•9 views

project-inheritance showed secret environment variables defined in Mask Passwords Plugin

Mask Passwords Plugin allows users to define secret environment variables typically passwords to be passed to builds, both globally, and for specific jobs. These environment variables are expected to not be shown. project-inheritance showed the variable values on its Full Build Flow view and...

6.5CVSS6.4AI score0.01186EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/09/25 12:0 a.m.•9 views

gitlab-logo stored credentials in plain text

gitlab-logo stored a private token unencrypted in its global configuration file org.jenkinsci.plugins.gitlablogo.GitlabLogoProperty.xml on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. gitlab-logo now stores the token encrypted...

5.5CVSS5.7AI score0.00324EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/09/25 12:0 a.m.•9 views

git-changelog stored credentials in plain text

git-changelog stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. git-changelog now stores these passwords encrypted. Existing jo...

6.5CVSS5.7AI score0.01038EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/08/28 12:0 a.m.•9 views

CSRF protection tokens for anonymous users did not expire in some circumstances

Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the...

8.8CVSS7.5AI score0.01578EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/08/07 12:0 a.m.•9 views

configuration-as-code failed to mask secrets in system log messages

configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. configuration-as-code inspects the type and looks for a field, getter, or constructor argument...

5.5CVSS5.7AI score0.00382EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/08/07 12:0 a.m.•9 views

mask-passwords shows plain text passwords in global configuration form fields

mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...

6.5CVSS6.1AI score0.01296EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/08/07 12:0 a.m.•9 views

avatar allows changing other users' avatars

avatar does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user's avatar, in addition to their own. As of publication of this advisory, there is no fix...

4.3CVSS5.1AI score0.00693EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/08/07 12:0 a.m.•9 views

codefresh globally and unconditionally disables SSL/TLS certificate validation

codefresh unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...

7.5CVSS6.8AI score0.01117EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/07/31 12:0 a.m.•9 views

maven-plugin did not mask sensitive values in module build logs

maven-plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked. maven-plugin now applies build log decorators from the Build Environment configuration to module builds...

6.5CVSS6.4AI score0.0101EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/07/11 12:0 a.m.•9 views

Reflected XSS vulnerability in embeddable-build-status

embeddable-build-status did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability. Arguments are now sanitized...

6.1CVSS5.9AI score0.01693EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/07/11 12:0 a.m.•9 views

mashup-portlets-plugin stored credentials in plain text

mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...

8.8CVSS8AI score0.01832EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/06/11 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in electricflow allowed SSRF

A missing permission check in a form validation method in electricflow allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST requests,...

4.3CVSS4.9AI score0.01829EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/06/11 12:0 a.m.•9 views

XSS vulnerability in electricflow affecting job configuration forms

The configuration forms of various post-build steps contributed by electricflow were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. electricflow no...

6.1CVSS5.6AI score0.01375EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/06/11 12:0 a.m.•9 views

electricflow globally and unconditionally disabled SSL/TLS certificate validation

electricflow unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. electricflow no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific...

6.5CVSS6.4AI score0.01303EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/05/31 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in artifactory allow capturing credentials

artifactory does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

6.5CVSS5AI score0.01825EPSS
Exploits1Affected Software1
jenkins
jenkins
•added 2019/05/31 12:0 a.m.•9 views

Improper handling of untrusted branches in gitea

Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch's Jenkinsfile content is used instead. gite...

7.5CVSS7.3AI score0.02135EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/30 12:0 a.m.•9 views

CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core

analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...

6.5CVSS5.7AI score0.01536EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/17 12:0 a.m.•9 views

jira-ext stored credentials in plain text

jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...

8.8CVSS8AI score0.01373EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

vmware-vrealize-automation-plugin stores credentials in plain text

vmware-vrealize-automation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01365EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

ircbot stores credentials in plain text

ircbot stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01411EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

aws-beanstalk-publisher-plugin stores credentials in plain text

aws-beanstalk-publisher-plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

diawi-upload stores credentials in plain text

diawi-upload stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

youtrack-plugin stored credentials in plain text

youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

fabric-beta-publisher stores credentials in plain text

fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in labmanager

A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

crittercism-dsym stores API key in plain text

crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

upload-pgyer stores credentials in plain text

upload-pgyer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in openshift-deployer

A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/04/03 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF

A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2019/02/19 12:0 a.m.•9 views

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...

6.5CVSS5.3AI score
Exploits0Affected Software1
jenkins
jenkins
•added 2019/02/19 12:0 a.m.•9 views

Arxan MAM Publisher Plugin stored password in plain text

Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...

4.3CVSS5.4AI score
Exploits0Affected Software1
jenkins
jenkins
•added 2018/10/29 12:0 a.m.•9 views

Sandbox Bypass in Script Security and Pipeline Groovy Plugins

The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...

8.8CVSS6.7AI score0.01639EPSS
Exploits0Affected Software2
jenkins
jenkins
•added 2018/08/15 12:0 a.m.•9 views

Unauthorized users could access agent logs

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...

4.3CVSS5.4AI score0.01254EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2018/07/30 12:0 a.m.•9 views

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...

5.4CVSS5.5AI score0.00719EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2018/07/30 12:0 a.m.•9 views

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2018/07/30 12:0 a.m.•9 views

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2018/07/18 12:0 a.m.•9 views

Arbitrary file read vulnerability

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...

7.5CVSS6.4AI score0.86641EPSS
Exploits7Affected Software1
jenkins
jenkins
•added 2018/06/25 12:0 a.m.•9 views

HTTP session fixation vulnerability in SAML Plugin

SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...

6.5CVSS6.1AI score0.00852EPSS
Exploits0Affected Software1
jenkins
jenkins
•added 2018/06/25 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials

Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

8.8CVSS8.1AI score0.01037EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464