Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in openshift-deployer

A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/02/19 12:0 a.m.•9 views

Arxan MAM Publisher Plugin stored password in plain text

Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/02/19 12:0 a.m.•9 views

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...

6.5CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/10/29 12:0 a.m.•9 views

Sandbox Bypass in Script Security and Pipeline Groovy Plugins

The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...

8.8CVSS6.7AI score0.01639EPSS
Exploits0Affected Software2
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/08/15 12:0 a.m.•9 views

Unauthorized users could access agent logs

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...

4.3CVSS5.4AI score0.01254EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•9 views

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•9 views

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...

5.4CVSS5.5AI score0.00719EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•9 views

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/18 12:0 a.m.•9 views

Arbitrary file read vulnerability

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...

7.5CVSS6.4AI score0.86641EPSS
Exploits7Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/25 12:0 a.m.•9 views

HTTP session fixation vulnerability in SAML Plugin

SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...

6.5CVSS6.1AI score0.00852EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/25 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials

Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

8.8CVSS8.1AI score0.01037EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller

AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...

8.8CVSS8AI score0.02021EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•9 views

Server-side request forgery vulnerability in GitHub Plugin

A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request's HTTP response code indicates success, the form validation is returning...

6.4CVSS5.9AI score0.00608EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•9 views

Kubernetes Plugin printed sensitive build variables to logs

Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry. The plugin now applies masking of sensitive build variables to these pipeline steps...

6.5CVSS6.4AI score0.01268EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...

6.5CVSS6.5AI score0.00988EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/16 12:0 a.m.•9 views

Stored XSS vulnerability in S3 Publisher Plugin

S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...

5.4CVSS5.3AI score0.00673EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/16 12:0 a.m.•9 views

Session fixation vulnerability in Google Login Plugin

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...

6.5CVSS6AI score0.0159EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/11 12:0 a.m.•9 views

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. The Jenkins CLI now returns the same...

5.3CVSS5.4AI score0.01403EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•9 views

Mailer Plugin allowed unauthorized users to send test emails

A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could resu...

8CVSS7.5AI score0.06773EPSS
Exploits5Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•9 views

GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml

GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects...

7.8CVSS6.3AI score0.00376EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/14 12:0 a.m.•9 views

Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery

The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request's HTTP respon...

6.4CVSS6.4AI score0.01678EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/05 12:0 a.m.•9 views

SECURITY-660

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/05 12:0 a.m.•9 views

SECURITY-699

Bulletin has no description...

8.8CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•9 views

SECURITY-658

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2017/11/08 12:0 a.m.•9 views

Persisted XSS vulnerability in autocompletion suggestions

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. Known previously unsafe sources for thes...

4.8CVSS5.3AI score0.01128EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Path traversal vulnerability in external-workspace-manager

external-workspace-manager 1.3.2 and earlier does not reject .. path segments when validating the custom workspace path provided to the exwsAllocate Pipeline step, allowing the resulting workspace path to escape the configured disk mount point. This allows attackers with Item/Configure permission...

8.8CVSS6.7AI score0.00595EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Missing permission check in git-parameter allows listing SCM branch and tag names

git-parameter 462.vdcf3df2ed2ca and earlier does not perform a permission check in an HTTP endpoint that populates the list of values for Git parameters by querying the SCM configured on a job, using the SCM credentials configured in Jenkins. This allows attackers with Item/Read permission to...

4.3CVSS5.9AI score0.00216EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

OS command injection vulnerability on agents in git-client

git-client 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification strategy on Unix agents. This allows attackers able to control the name of a build's working...

5CVSS6.1AI score0.00207EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

CSRF vulnerability in PrioritySorter

PrioritySorter 936.v2c01c6b84449 and earlier does not require POST requests in an HTTP endpoint that saves the global job priority configuration. This allows attackers to overwrite the global job priority configuration. PrioritySorter 936.937.v5581d0b2ccba requires POST requests for the affected...

4.3CVSS5.9AI score0.00152EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/03/18 12:0 a.m.•8 views

DNS rebinding vulnerability in WebSocket CLI origin validation

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...

7.5CVSS6.1AI score0.00297EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•8 views

Exposure of system-scoped Vault credentials in hashicorp-vault-plugin

hashicorp-vault-plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially...

4.3CVSS5.2AI score0.00202EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•8 views

Build authorization token stored and displayed in plain text

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS7.6AI score0.00159EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•8 views

CSRF vulnerability on the login form

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery CSRF token crumb for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trick users into logging in ...

3.5CVSS7.5AI score0.0016EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•8 views

API tokens stored in plain text by byteguard-build-actions

byteguard-build-actions 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5.3AI score0.00158EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•8 views

XXE vulnerability in jdepend

jdepend 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses extern...

7.1CVSS5.4AI score0.0032EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•8 views

API key stored in plain text by kryptowire

kryptowire 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. ...

6.5CVSS6.4AI score0.00259EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•8 views

API Auth keys stored and displayed in plain text by vaddy-plugin

vaddy-plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

6.5CVSS5.6AI score0.00218EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•8 views

Passwords stored in plain text by warrior

warrior 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there...

6.5CVSS6.4AI score0.00291EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/06/06 12:0 a.m.•8 views

XSS vulnerability in gatling

gatling 136.vb9009b3d33ae serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting XSS vulnerability exploitable by users able to change report content. As of publication of this advisor...

8CVSS4.9AI score0.00444EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/19 12:0 a.m.•8 views

API key displayed without masking by zohoqengine

zohoqengine stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in zohoqengine 1.0.29.vfacc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing th...

3.1CVSS5.2AI score0.00261EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•8 views

Missing permission check in script-security

script-security 1367.vdf2fc45f229c and earlier, except 1365.1367.va3bb89f8a95b and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files on the controller file...

4.3CVSS5AI score0.0036EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/24 12:0 a.m.•8 views

Stored XSS vulnerability in teamconcert-git

teamconcert-git 2.0.4 and earlier does not escape the Rational Team Concert RTC server URI on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. teamconcert-git 2.0.5 escapes the Rational Team Conce...

8CVSS4.9AI score0.00327EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/24 12:0 a.m.•8 views

Path traversal vulnerability in report-info

report-info 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, report-info does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire...

4.3CVSS5.1AI score0.00831EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/02 12:0 a.m.•8 views

Missing permission check in git-server

git-server 114.v068ac7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. git-server 117.veb68868fa027 requires...

6.5CVSS6.4AI score0.00522EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•8 views

CSRF vulnerability in gitlab-branch-source

gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. gitlab-branch-source 688.v5fa356ee8520...

4.3CVSS4.9AI score0.00323EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•8 views

Stored XSS vulnerability in qualys-pc

qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuratio...

8CVSS5.3AI score0.00458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•8 views

Tokens stored and displayed in plain text by dingding-json-pusher

dingding-json-pusher 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5AI score0.00347EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/11/29 12:0 a.m.•8 views

CSRF vulnerabilities and missing permission checks in matlab allow XXE

matlab determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. matlab 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation...

9.8CVSS8.3AI score0.00844EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/10/25 12:0 a.m.•8 views

Arbitrary file read vulnerability in electricflow

electricflow temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller whe...

6.5CVSS6.6AI score0.01159EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/10/25 12:0 a.m.•8 views

Missing permission check in lambdatest-automation allows enumerating credentials IDs

lambdatest-automation 1.20.9 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...

4.3CVSS5.1AI score0.00394EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464