1442 matches found
Lack of authentication mechanism in DotCi webhook
DotCi provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository. In DotCi 2.40.00 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the...
Missing hostname validation in view26
view26 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce this...
API key stored in plain text by bigpanda-jenkins
bigpanda-jenkins 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. Additionally, the...
CSRF vulnerability and missing permission checks in CONS3RT allow capturing credentials
CONS3RT 1.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials...
API token stored in plain text by CONS3RT
CONS3RT 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. This API token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we...
Missing permission check in apprenda allows enumerating credentials IDs
apprenda 2.2.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As o...
CSRF vulnerability and missing permission check in scm-httpclient allow capturing credentials
scm-httpclient 1.5 and earlier does not perform permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
Missing permission checks in CONS3RT allow enumerating credentials IDs
CONS3RT 1.0.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. ...
XXE vulnerability in compuware-common-configuration
compuware-common-configuration 1.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities fo...
CSRF vulnerability in security-inspector
security-inspector 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users a...
Stored XSS vulnerability in DotCi
DotCi 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/...
Missing permission check in extreme-feedback
extreme-feedback 1.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. As of publication of this...
Missing permission check in build-publisher
build-publisher 1.22 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins...
Path traversal and CSRF vulnerability in build-publisher
build-publisher 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. Additionally, this endpoint does not require POST requests, resulting in a cross-sit...
Missing webhook endpoint authorization in rundeck
rundeck 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint. This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck. As of publication of this advisory, there is no fix. Learn why we announce this...
Agent-to-controller security bypass in wildfly-deployer allows reading arbitrary files
wildfly-deployer 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. NOTE: This vulnerability is...
RCE vulnerability in DotCi
DotCi 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by attackers able to modify .ci.yml files in SCM. As of publication of this advisory, there is no fix. Learn why we...
XXE vulnerability in rqm-plugin
rqm-plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets fro...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins LTS 2.346.3 and earlier,...
RCE vulnerability in Kubernetes Continuous Deploy
Kubernetes Continuous Deploy 2.3.1 and earlier bundles a version of Kubernetes Java Client library with the vulnerability https://vulners.com/cve/CVE-2021-25738CVE-2021-25738 that does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code...
RabbitMQ password stored in plain text by collabnet
collabnet 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file hudson.plugins.collabnet.share.TeamForgeShare.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system...
Improper masking of credentials in git
git 4.11.4 and earlier does not properly mask i.e., replace with asterisks credentials in the build log provided by the Git Username and Password gitUsernamePassword credentials binding. Usernames are masked instead of passwords in cases when usernames are not set to be treated as secret. git...
Stored XSS vulnerability in jobConfigHistory
jobConfigHistory 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure job names. jobConfigHistory 1166.vc9f255f45b8a escapes the job name on...
Non-constant time webhook signature comparison in github
github 1.34.4 and earlier does not use a constant-time comparison when checking whether the provided and computed webhook signatures are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook signature. github 1.34.5 uses a constant-time comparison when...
Lack of authentication mechanism in git webhook
git provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In git 4.11....
Missing hostname verification in git-client
git-client 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH. This lack of verification could be abused using a man-in-the-middle attack to intercept these connections. git-client 3.11.1 provides strategies for performing host key verificati...
CSRF vulnerability in jobConfigHistory
jobConfigHistory 1155.v28a46acc06a5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older...
Missing permission check in deployer-framework allows reading deployment logs
deployer-framework 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to read deployment logs. deployer-framework 86.v7ba4a55bf3ec requires Deploy Now/Deploy permission to read deployment logs...
Passwords stored in plain text by http_request
httprequest 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.httprequest.HttpRequest.xml on the Jenkins controller as part of its configuration when using deprecated Basic/Digest Authentication. These passwords can be viewed by users with...
CSRF vulnerability and missing permission check in openshift-deployer
openshift-deployer 1.2.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method...
Missing permission checks in openstack-heat allow listing the Jenkins controller file system
openstack-heat 1.5 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be used to...
Missing permission check in files-found-trigger allows listing the Jenkins controller file system
files-found-trigger 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be...
Missing permission checks in compuware-ispw-operations
compuware-ispw-operations 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Missing permission checks in lucene-search
lucene-search 370.v62a5f618cd3a and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them. As of publication of this advisory, there is no...
CSRF vulnerability in external-monitor-job
external-monitor-job 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create runs of an external job. external-monitor-job 192.ve979ca8b3ccd requires POST request...
Path traversal vulnerability in deployer-framework allows reading arbitrary files
deployer-framework 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment. This allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service...
Agent-to-controller security bypass in compuware-ispw-operations
compuware-ispw-operations defines a controller/agent message that retrieves Java system properties. compuware-ispw-operations 1.0.8 and earlier does not restrict execution of the controller/agent message to agents. This allows attackers able to control agent processes to retrieve Java system...
Stored XSS vulnerability in dynamic_extended_choice_parameter
dynamicextendedchoiceparameter 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn...
Stored XSS vulnerability in maven-metadata-plugin
maven-metadata-plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory...
Missing permission check in android-signing allows listing workspace contents
android-signing 2.2.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...
Missing permission check in buckminster
buckminster 1.1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be used to...
CSRF vulnerability and missing permission check in coverity allow capturing credentials
coverity 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Reflected XSS vulnerability in lucene-search
lucene-search 370.v62a5f618cd3a and earlier does not escape the search query parameter displayed on the search result page. This results in a reflected cross-site scripting XSS vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission check in google-cloud-backup
google-cloud-backup 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to request a manual backup. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability...
Missing permission check in coverity allows enumerating credentials IDs
coverity 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As ...
Missing permission checks in hashicorp-vault-plugin allow capturing credentials
hashicorp-vault-plugin 354.vdb858fd6bf48 and earlier does not perform permission checks in several HTTP endpoints performing Vault connection tests. This allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys. hashicorp-vault-plug...
Arbitrary file write vulnerability in clif-performance-testing
clif-performance-testing 64.vc0d66de1dfbf and earlier allows users to extract files from an archive without validating file paths of files contained within the archive. This allows attackers with Overall/Read permission to create or replace arbitrary files on the Jenkins controller file system wi...
Missing permission checks in compuware-topaz-utilities
compuware-topaz-utilities 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Missing permission checks in compuware-xpediter-code-coverage
compuware-xpediter-code-coverage 1.0.7 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs...
Missing permission check in repository-connector allows listing the Jenkins controller file system
repository-connector 2.2.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can b...