1464 matches found
Folder-scoped Jira sites in jira were able to access System-scoped credentials
jira allows the definition of per-folder Jira sites. The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder t...
zulip stored credentials in plain text
zulip stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins...
Users with Overall/Read access could enumerate credential IDs in libvirt-slave
libvirt-slave provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...
CSRF vulnerability and missing permission checks in libvirt-slave allowed capturing credentials
libvirt-slave does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
delphix stores credentials in plain text
delphix stores credentials unencrypted in its global configuration file io.jenkins.plugins.delphix.GlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...
neoload-jenkins-plugin stored credentials in plain text
neoload-jenkins-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the...
extensivetesting stores credentials in plain text
extensivetesting stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...
sofy-ai stores API token in plain text
sofy-ai stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...
Stored XSS vulnerability in htmlpublisher
htmlpublisher did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission. htmlpublish...
vault-scm-plugin shows plain text password in configuration form
vault-scm-plugin stores an SCM password in job configurations. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and simil...
dingding-notifications stores credentials in plain text
dingding-notifications stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
project-inheritance showed secret environment variables defined in Mask Passwords Plugin
Mask Passwords Plugin allows users to define secret environment variables typically passwords to be passed to builds, both globally, and for specific jobs. These environment variables are expected to not be shown. project-inheritance showed the variable values on its Full Build Flow view and...
gitlab-logo stored credentials in plain text
gitlab-logo stored a private token unencrypted in its global configuration file org.jenkinsci.plugins.gitlablogo.GitlabLogoProperty.xml on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. gitlab-logo now stores the token encrypted...
git-changelog stored credentials in plain text
git-changelog stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. git-changelog now stores these passwords encrypted. Existing jo...
CSRF protection tokens for anonymous users did not expire in some circumstances
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the...
configuration-as-code failed to mask secrets in system log messages
configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. configuration-as-code inspects the type and looks for a field, getter, or constructor argument...
mask-passwords shows plain text passwords in global configuration form fields
mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...
avatar allows changing other users' avatars
avatar does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user's avatar, in addition to their own. As of publication of this advisory, there is no fix...
codefresh globally and unconditionally disables SSL/TLS certificate validation
codefresh unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...
maven-plugin did not mask sensitive values in module build logs
maven-plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked. maven-plugin now applies build log decorators from the Build Environment configuration to module builds...
Reflected XSS vulnerability in embeddable-build-status
embeddable-build-status did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability. Arguments are now sanitized...
mashup-portlets-plugin stored credentials in plain text
mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...
CSRF vulnerability and missing permission checks in electricflow allowed SSRF
A missing permission check in a form validation method in electricflow allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST requests,...
XSS vulnerability in electricflow affecting job configuration forms
The configuration forms of various post-build steps contributed by electricflow were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. electricflow no...
electricflow globally and unconditionally disabled SSL/TLS certificate validation
electricflow unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. electricflow no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific...
CSRF vulnerability and missing permission check in artifactory allow capturing credentials
artifactory does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Improper handling of untrusted branches in gitea
Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch's Jenkinsfile content is used instead. gite...
CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core
analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...
jira-ext stored credentials in plain text
jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...
vmware-vrealize-automation-plugin stores credentials in plain text
vmware-vrealize-automation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
ircbot stores credentials in plain text
ircbot stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
aws-beanstalk-publisher-plugin stores credentials in plain text
aws-beanstalk-publisher-plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
diawi-upload stores credentials in plain text
diawi-upload stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
youtrack-plugin stored credentials in plain text
youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...
fabric-beta-publisher stores credentials in plain text
fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in labmanager
A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...
crittercism-dsym stores API key in plain text
crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
upload-pgyer stores credentials in plain text
upload-pgyer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in openshift-deployer
A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...
CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF
A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...
ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation
ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...
Arxan MAM Publisher Plugin stored password in plain text
Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...
Sandbox Bypass in Script Security and Pipeline Groovy Plugins
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...
Unauthorized users could access agent logs
Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...
Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin
Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...
Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...
TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation
TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...
Arbitrary file read vulnerability
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...
HTTP session fixation vulnerability in SAML Plugin
SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...
CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials
Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...