1464 matches found
Agent-to-controller security bypass vulnerability in compuware-xpediter-code-coverage
compuware-xpediter-code-coverage 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability ...
Content-Security-Policy protection for user content disabled by XFramium Builder
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. XFramium Builder 1.0.22 and earlier globally disables the Content-Security-Poli...
Content-Security-Policy protection for user content disabled by ScreenRecorder
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. ScreenRecorder 0.7 and earlier programmatically updates the Java system propert...
Content-Security-Policy protection for user content can be disabled in 360 FireLine
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. 360 FireLine 1.7.2 and earlier globally disables the Content-Security-Policy...
Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin formerly Pipeline: Shared Groovy Libraries Plugin define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be...
CSRF protection for any URL can be bypassed in pipeline-stage-view
pipeline-stage-view provides a visualization of Pipeline builds. It also allows users to interact with input steps from Pipeline: Input Step Plugin. pipeline-stage-view 2.26 and earlier does not correctly encode the ID of input steps when using it to generate URLs to proceed or abort Pipeline...
Stored XSS vulnerability in workflow-support
workflow-support provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it...
XXE vulnerability in repo
repo 1.15.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control which repo binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
CSRF vulnerability in Katalon allows capturing credentials
Katalon 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...
API keys stored in plain text by Katalon
Katalon 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Katalon 1.0.33 no longer stores the API...
Stored XSS vulnerability in contrast-continuous-application-security
contrast-continuous-application-security 3.9 and earlier does not escape data returned from the Contrast service when generating a report. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control or modify Contrast service API responses...
Agent-to-controller security bypass vulnerabilities in compuware-topaz-for-total-test
compuware-topaz-for-total-test 2.4.8 and earlier implements two agent/controller messages that do not limit where they can be executed. RemoteSystemProperties allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process...
Missing permission check in compuware-strobe-measurement allows enumerating credentials IDs
compuware-strobe-measurement 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Sandbox bypass vulnerabilities in Script Security Plugin and in Pipeline: Groovy Plugin
Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be...
Stored XSS vulnerability in cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, the...
Path traversal and CSRF vulnerability in build-publisher
build-publisher 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. Additionally, this endpoint does not require POST requests, resulting in a cross-sit...
Missing webhook endpoint authorization in rundeck
rundeck 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint. This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in Walti
Walti 1.0.1 and earlier does not escape the information provided by the Walti API. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide malicious API responses from Walti. As of publication of this advisory, there is no fix. Learn why we announc...
XXE vulnerability in rqm-plugin
rqm-plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets fro...
Missing hostname validation in smalltest
smalltest 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce...
Missing permission check in apprenda allows enumerating credentials IDs
apprenda 2.2.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As o...
Stored XSS vulnerability in DotCi
DotCi 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/...
Missing permission check in extreme-feedback
extreme-feedback 1.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. As of publication of this...
Lack of authentication mechanism in DotCi webhook
DotCi provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository. In DotCi 2.40.00 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the...
CSRF vulnerability and missing permission check in scm-httpclient allow capturing credentials
scm-httpclient 1.5 and earlier does not perform permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
Missing permission checks in CONS3RT allow enumerating credentials IDs
CONS3RT 1.0.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. ...
Stored XSS vulnerability in anchore-container-scanner
anchore-container-scanner 1.0.24 and earlier does not escape content provided by the Anchore engine API. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control API responses by Anchore engine. anchore-container-scanner 1.0.25 escapes content...
XXE vulnerability in compuware-common-configuration
compuware-common-configuration 1.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities fo...
Missing permission check in build-publisher
build-publisher 1.22 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins...
Missing permission checks in rundeck
rundeck 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints. This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled. As of publication of this...
XSS vulnerability
Jenkins 2.367 through 2.369 both inclusive does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control tooltips for this component. NOTE: As of...
CSRF vulnerability and missing permission check in cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password. Additionally, this form...
Agent-to-controller security bypass in wildfly-deployer allows reading arbitrary files
wildfly-deployer 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. NOTE: This vulnerability is...
CSRF vulnerability in security-inspector
security-inspector 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users a...
RCE vulnerability in DotCi
DotCi 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by attackers able to modify .ci.yml files in SCM. As of publication of this advisory, there is no fix. Learn why we...
Missing hostname validation in view26
view26 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission check in ws-execution-manager allow capturing credentials
ws-execution-manager 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
API key stored in plain text by bigpanda-jenkins
bigpanda-jenkins 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. Additionally, the...
CSRF vulnerability and missing permission checks in CONS3RT allow capturing credentials
CONS3RT 1.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials...
API token stored in plain text by CONS3RT
CONS3RT 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. This API token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins LTS 2.346.3 and earlier,...
Improper masking of credentials in git
git 4.11.4 and earlier does not properly mask i.e., replace with asterisks credentials in the build log provided by the Git Username and Password gitUsernamePassword credentials binding. Usernames are masked instead of passwords in cases when usernames are not set to be treated as secret. git...
RCE vulnerability in Kubernetes Continuous Deploy
Kubernetes Continuous Deploy 2.3.1 and earlier bundles a version of Kubernetes Java Client library with the vulnerability https://vulners.com/cve/CVE-2021-25738CVE-2021-25738 that does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code...
RabbitMQ password stored in plain text by collabnet
collabnet 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file hudson.plugins.collabnet.share.TeamForgeShare.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system...
Stored XSS vulnerability in jobConfigHistory
jobConfigHistory 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure job names. jobConfigHistory 1166.vc9f255f45b8a escapes the job name on...
Missing hostname verification in git-client
git-client 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH. This lack of verification could be abused using a man-in-the-middle attack to intercept these connections. git-client 3.11.1 provides strategies for performing host key verificati...
Missing permission checks in compuware-topaz-utilities
compuware-topaz-utilities 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Missing permission checks in compuware-xpediter-code-coverage
compuware-xpediter-code-coverage 1.0.7 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs...
Agent-to-controller security bypass in compuware-zadviser-api
compuware-zadviser-api defines a controller/agent message that retrieves Java system properties. compuware-zadviser-api 1.0.3 and earlier does not restrict execution of the controller/agent message to agents. This allows attackers able to control agent processes to retrieve Java system properties...
Missing permission checks in repository-connector allow enumerating credentials IDs
repository-connector 2.2.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...