1464 matches found
CSRF vulnerability and missing permission check in openshift-deployer
A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...
Arxan MAM Publisher Plugin stored password in plain text
Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...
ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation
ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...
Sandbox Bypass in Script Security and Pipeline Groovy Plugins
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...
Unauthorized users could access agent logs
Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...
TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation
TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...
Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin
Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...
Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...
Arbitrary file read vulnerability
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...
HTTP session fixation vulnerability in SAML Plugin
SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...
CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials
Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller
AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...
Server-side request forgery vulnerability in GitHub Plugin
A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request's HTTP response code indicates success, the form validation is returning...
Kubernetes Plugin printed sensitive build variables to logs
Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry. The plugin now applies masking of sensitive build variables to these pipeline steps...
CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials
Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...
Stored XSS vulnerability in S3 Publisher Plugin
S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...
Session fixation vulnerability in Google Login Plugin
Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...
CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission
The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. The Jenkins CLI now returns the same...
Mailer Plugin allowed unauthorized users to send test emails
A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could resu...
GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml
GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects...
Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery
The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request's HTTP respon...
SECURITY-660
Bulletin has no description...
SECURITY-699
Bulletin has no description...
SECURITY-658
Bulletin has no description...
Persisted XSS vulnerability in autocompletion suggestions
Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. Known previously unsafe sources for thes...
Path traversal vulnerability in external-workspace-manager
external-workspace-manager 1.3.2 and earlier does not reject .. path segments when validating the custom workspace path provided to the exwsAllocate Pipeline step, allowing the resulting workspace path to escape the configured disk mount point. This allows attackers with Item/Configure permission...
Missing permission check in git-parameter allows listing SCM branch and tag names
git-parameter 462.vdcf3df2ed2ca and earlier does not perform a permission check in an HTTP endpoint that populates the list of values for Git parameters by querying the SCM configured on a job, using the SCM credentials configured in Jenkins. This allows attackers with Item/Read permission to...
OS command injection vulnerability on agents in git-client
git-client 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification strategy on Unix agents. This allows attackers able to control the name of a build's working...
CSRF vulnerability in PrioritySorter
PrioritySorter 936.v2c01c6b84449 and earlier does not require POST requests in an HTTP endpoint that saves the global job priority configuration. This allows attackers to overwrite the global job priority configuration. PrioritySorter 936.937.v5581d0b2ccba requires POST requests for the affected...
DNS rebinding vulnerability in WebSocket CLI origin validation
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Exposure of system-scoped Vault credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially...
Build authorization token stored and displayed in plain text
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
CSRF vulnerability on the login form
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery CSRF token crumb for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trick users into logging in ...
API tokens stored in plain text by byteguard-build-actions
byteguard-build-actions 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
XXE vulnerability in jdepend
jdepend 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses extern...
API key stored in plain text by kryptowire
kryptowire 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. ...
API Auth keys stored and displayed in plain text by vaddy-plugin
vaddy-plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
Passwords stored in plain text by warrior
warrior 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there...
XSS vulnerability in gatling
gatling 136.vb9009b3d33ae serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting XSS vulnerability exploitable by users able to change report content. As of publication of this advisor...
API key displayed without masking by zohoqengine
zohoqengine stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in zohoqengine 1.0.29.vfacc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing th...
Missing permission check in script-security
script-security 1367.vdf2fc45f229c and earlier, except 1365.1367.va3bb89f8a95b and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files on the controller file...
Stored XSS vulnerability in teamconcert-git
teamconcert-git 2.0.4 and earlier does not escape the Rational Team Concert RTC server URI on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. teamconcert-git 2.0.5 escapes the Rational Team Conce...
Path traversal vulnerability in report-info
report-info 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, report-info does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire...
Missing permission check in git-server
git-server 114.v068ac7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. git-server 117.veb68868fa027 requires...
CSRF vulnerability in gitlab-branch-source
gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. gitlab-branch-source 688.v5fa356ee8520...
Stored XSS vulnerability in qualys-pc
qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuratio...
Tokens stored and displayed in plain text by dingding-json-pusher
dingding-json-pusher 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
CSRF vulnerabilities and missing permission checks in matlab allow XXE
matlab determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. matlab 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation...
Arbitrary file read vulnerability in electricflow
electricflow temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller whe...
Missing permission check in lambdatest-automation allows enumerating credentials IDs
lambdatest-automation 1.20.9 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...