Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
added 2019/09/25 12:0 a.m.9 views

git-changelog stored credentials in plain text

git-changelog stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. git-changelog now stores these passwords encrypted. Existing jo...

6.5CVSS5.7AI score0.01038EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/09/25 12:0 a.m.9 views

gitlab-logo stored credentials in plain text

gitlab-logo stored a private token unencrypted in its global configuration file org.jenkinsci.plugins.gitlablogo.GitlabLogoProperty.xml on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. gitlab-logo now stores the token encrypted...

5.5CVSS5.7AI score0.00324EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/09/25 12:0 a.m.9 views

project-inheritance showed secret environment variables defined in Mask Passwords Plugin

Mask Passwords Plugin allows users to define secret environment variables typically passwords to be passed to builds, both globally, and for specific jobs. These environment variables are expected to not be shown. project-inheritance showed the variable values on its Full Build Flow view and...

6.5CVSS6.4AI score0.01186EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/08/28 12:0 a.m.9 views

CSRF protection tokens for anonymous users did not expire in some circumstances

Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the...

8.8CVSS7.5AI score0.01578EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/08/07 12:0 a.m.9 views

configuration-as-code failed to mask secrets in system log messages

configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. configuration-as-code inspects the type and looks for a field, getter, or constructor argument...

5.5CVSS5.7AI score0.00382EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/08/07 12:0 a.m.9 views

mask-passwords shows plain text passwords in global configuration form fields

mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...

6.5CVSS6.1AI score0.01296EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/08/07 12:0 a.m.9 views

avatar allows changing other users' avatars

avatar does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user's avatar, in addition to their own. As of publication of this advisory, there is no fix...

4.3CVSS5.1AI score0.00693EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/08/07 12:0 a.m.9 views

codefresh globally and unconditionally disables SSL/TLS certificate validation

codefresh unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...

7.5CVSS6.8AI score0.01117EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/07/31 12:0 a.m.9 views

maven-plugin did not mask sensitive values in module build logs

maven-plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked. maven-plugin now applies build log decorators from the Build Environment configuration to module builds...

6.5CVSS6.4AI score0.0101EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/07/11 12:0 a.m.9 views

Reflected XSS vulnerability in embeddable-build-status

embeddable-build-status did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability. Arguments are now sanitized...

6.1CVSS5.9AI score0.01693EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/07/11 12:0 a.m.9 views

mashup-portlets-plugin stored credentials in plain text

mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...

8.8CVSS8AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/06/11 12:0 a.m.9 views

electricflow globally and unconditionally disabled SSL/TLS certificate validation

electricflow unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. electricflow no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific...

6.5CVSS6.4AI score0.01303EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/06/11 12:0 a.m.9 views

XSS vulnerability in electricflow affecting job configuration forms

The configuration forms of various post-build steps contributed by electricflow were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. electricflow no...

6.1CVSS5.6AI score0.01375EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/06/11 12:0 a.m.9 views

CSRF vulnerability and missing permission checks in electricflow allowed SSRF

A missing permission check in a form validation method in electricflow allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST requests,...

4.3CVSS4.9AI score0.01829EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/05/31 12:0 a.m.9 views

Improper handling of untrusted branches in gitea

Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch's Jenkinsfile content is used instead. gite...

7.5CVSS7.3AI score0.02135EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/05/31 12:0 a.m.9 views

CSRF vulnerability and missing permission check in artifactory allow capturing credentials

artifactory does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

6.5CVSS5AI score0.01825EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/30 12:0 a.m.9 views

CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core

analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...

6.5CVSS5.7AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/17 12:0 a.m.9 views

jira-ext stored credentials in plain text

jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...

8.8CVSS8AI score0.01373EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

upload-pgyer stores credentials in plain text

upload-pgyer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

diawi-upload stores credentials in plain text

diawi-upload stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF

A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

fabric-beta-publisher stores credentials in plain text

fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

youtrack-plugin stored credentials in plain text

youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

crittercism-dsym stores API key in plain text

crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

ircbot stores credentials in plain text

ircbot stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01411EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

aws-beanstalk-publisher-plugin stores credentials in plain text

aws-beanstalk-publisher-plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

vmware-vrealize-automation-plugin stores credentials in plain text

vmware-vrealize-automation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

CSRF vulnerability and missing permission check in labmanager

A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/04/03 12:0 a.m.9 views

CSRF vulnerability and missing permission check in openshift-deployer

A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/03/25 12:0 a.m.9 views

Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin

Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/03/06 12:0 a.m.9 views

Script security sandbox bypass in Email Extension Plugin

Email Extension Plugin supports sandboxed Groovy expressions for multiple features. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin's job-specific configuration t...

9.9CVSS8.9AI score0.02439EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/02/19 12:0 a.m.9 views

SSRF vulnerability due to missing permission check in JMS Messaging Plugin

A missing permission check in a form validation method in JMS Messaging Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CS...

4.3CVSS5AI score0.00674EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/02/19 12:0 a.m.9 views

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...

6.5CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/02/19 12:0 a.m.9 views

Arxan MAM Publisher Plugin stored password in plain text

Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/10/29 12:0 a.m.9 views

Sandbox Bypass in Script Security and Pipeline Groovy Plugins

The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...

8.8CVSS6.7AI score0.01639EPSS
Exploits0Affected Software2
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/08/15 12:0 a.m.9 views

Ephemeral user record was created on some invalid authentication attempts

When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...

7.5CVSS6.5AI score0.01673EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/08/15 12:0 a.m.9 views

Unauthorized users could access agent logs

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...

4.3CVSS5.4AI score0.01254EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/07/30 12:0 a.m.9 views

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/07/30 12:0 a.m.9 views

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...

5.4CVSS5.5AI score0.00719EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/07/30 12:0 a.m.9 views

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/07/18 12:0 a.m.9 views

Arbitrary file read vulnerability

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...

7.5CVSS6.4AI score0.86641EPSS
Exploits7Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/25 12:0 a.m.9 views

HTTP session fixation vulnerability in SAML Plugin

SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...

6.5CVSS6.1AI score0.00852EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/25 12:0 a.m.9 views

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials

Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

8.8CVSS8.1AI score0.01037EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/04 12:0 a.m.9 views

CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller

AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...

8.8CVSS8AI score0.02021EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/04 12:0 a.m.9 views

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...

6.5CVSS6.5AI score0.00988EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/04 12:0 a.m.9 views

Server-side request forgery vulnerability in GitHub Plugin

A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request's HTTP response code indicates success, the form validation is returning...

6.4CVSS5.9AI score0.00608EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/04 12:0 a.m.9 views

Kubernetes Plugin printed sensitive build variables to logs

Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry. The plugin now applies masking of sensitive build variables to these pipeline steps...

6.5CVSS6.4AI score0.01268EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/05/09 12:0 a.m.9 views

Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin

Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability. Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input...

5.4CVSS5.3AI score0.00719EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/05/09 12:0 a.m.9 views

Users were able to register user names containing control characters

The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters. This could be used to confuse administrators appearing to be a different user while preventing deletion of...

4.3CVSS5.6AI score0.01045EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/04/16 12:0 a.m.9 views

Session fixation vulnerability in Google Login Plugin

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...

6.5CVSS6AI score0.0159EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464