Lucene search
K
JenkinsRecent

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•7 views

Agent-to-controller security bypass in compuware-ispw-operations

compuware-ispw-operations defines a controller/agent message that retrieves Java system properties. compuware-ispw-operations 1.0.8 and earlier does not restrict execution of the controller/agent message to agents. This allows attackers able to control agent processes to retrieve Java system...

8.2CVSS7.9AI score0.0085EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•3 views

Agent-to-controller security bypass in compuware-zadviser-api

compuware-zadviser-api defines a controller/agent message that retrieves Java system properties. compuware-zadviser-api 1.0.3 and earlier does not restrict execution of the controller/agent message to agents. This allows attackers able to control agent processes to retrieve Java system properties...

8.2CVSS7.9AI score0.00832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission checks in repository-connector allow enumerating credentials IDs

repository-connector 2.2.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

4.3CVSS5AI score0.00581EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Non-constant time webhook signature comparison in github

github 1.34.4 and earlier does not use a constant-time comparison when checking whether the provided and computed webhook signatures are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook signature. github 1.34.5 uses a constant-time comparison when...

5.3CVSS5.5AI score0.00721EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•8 views

Missing permission checks in compuware-scm-downloader

compuware-scm-downloader 2.0.12 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...

6.5CVSS6.4AI score0.00605EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Missing permission check in repository-connector allows listing the Jenkins controller file system

repository-connector 2.2.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can b...

4.3CVSS5AI score0.00581EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•3 views

CSRF vulnerability and missing permission check in openshift-deployer

openshift-deployer 1.2.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from...

6.5CVSS5.6AI score0.00699EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission checks in hashicorp-vault-plugin allow capturing credentials

hashicorp-vault-plugin 354.vdb858fd6bf48 and earlier does not perform permission checks in several HTTP endpoints performing Vault connection tests. This allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys. hashicorp-vault-plug...

6.5CVSS6.4AI score0.00605EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission check in rhnpush-plugin allows listing workspace contents

rhnpush-plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...

4.3CVSS5AI score0.00569EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•6 views

CSRF vulnerability in jobConfigHistory

jobConfigHistory 1155.v28a46acc06a5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older...

4.3CVSS5AI score0.00362EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•6 views

Missing permission check in deployer-framework allows reading deployment logs

deployer-framework 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to read deployment logs. deployer-framework 86.v7ba4a55bf3ec requires Deploy Now/Deploy permission to read deployment logs...

4.3CVSS5AI score0.00486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Path traversal vulnerability in deployer-framework

deployer-framework 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation. This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. deployer-framework...

4.3CVSS5AI score0.00995EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission check in rpmsign-plugin allows listing workspace contents

rpmsign-plugin 0.5.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...

4.3CVSS5AI score0.00581EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Missing permission checks in compuware-xpediter-code-coverage

compuware-xpediter-code-coverage 1.0.7 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs...

4.3CVSS5AI score0.00569EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Missing permission checks in compuware-ispw-operations

compuware-ispw-operations 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...

4.3CVSS5AI score0.00581EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Stored XSS vulnerability in dynamic_extended_choice_parameter

dynamicextendedchoiceparameter 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn...

8CVSS5.3AI score0.00648EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Stored XSS vulnerability in maven-metadata-plugin

maven-metadata-plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory...

8CVSS5.3AI score0.00552EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Arbitrary file write vulnerability in clif-performance-testing

clif-performance-testing 64.vc0d66de1dfbf and earlier allows users to extract files from an archive without validating file paths of files contained within the archive. This allows attackers with Overall/Read permission to create or replace arbitrary files on the Jenkins controller file system wi...

8.8CVSS6.5AI score0.00674EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

CSRF vulnerability and missing permission check in openshift-deployer

openshift-deployer 1.2.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method...

6.5CVSS6.2AI score0.00668EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•7 views

Missing permission checks in openstack-heat allow listing the Jenkins controller file system

openstack-heat 1.5 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be used to...

4.3CVSS5AI score0.00486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission check in android-signing allows listing workspace contents

android-signing 2.2.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...

4.3CVSS5AI score0.00569EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•6 views

CSRF vulnerability and missing permission check in coverity allow capturing credentials

coverity 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

8.8CVSS6.3AI score0.0073EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

CSRF vulnerability in external-monitor-job

external-monitor-job 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create runs of an external job. external-monitor-job 192.ve979ca8b3ccd requires POST request...

4.3CVSS4.9AI score0.00362EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•6 views

CSRF vulnerability and missing permission checks in openstack-heat

openstack-heat 1.5 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these form validation methods do not require POST requests, resulting in a cross-sit...

6.5CVSS5.4AI score0.00505EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission check in files-found-trigger allows listing the Jenkins controller file system

files-found-trigger 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be...

4.3CVSS5AI score0.00581EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•5 views

Missing permission checks in compuware-topaz-utilities

compuware-topaz-utilities 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...

4.3CVSS5AI score0.00569EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•6 views

CSRF vulnerability and missing permission check in google-cloud-backup

google-cloud-backup 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to request a manual backup. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability...

8CVSS6AI score0.00505EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Missing permission check in buckminster

buckminster 1.1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be used to...

4.3CVSS5AI score0.00486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•8 views

Passwords stored in plain text by http_request

httprequest 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.httprequest.HttpRequest.xml on the Jenkins controller as part of its configuration when using deprecated Basic/Digest Authentication. These passwords can be viewed by users with...

6.5CVSS6.4AI score0.00723EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•4 views

Lack of authentication mechanism in git webhook

git provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In git 4.11....

8.8CVSS6.4AI score0.05563EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•5 views

CSRF vulnerability in rrod

rrod 1.1.0 and earlier does not require POST requests for HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to accept pending requests, thereby renaming or deleting jobs. As of publication of this advisory, there is no fix. Learn why ...

4.3CVSS5AI score0.00454EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•10 views

Missing permission checks in build-metrics

build-metrics 1.3 and earlier does not perform a permission check in multiple HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. As of publication of this advisory, there is no fix. Learn why we announce this...

4.3CVSS5AI score0.00644EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•7 views

Password stored in plain text by skype-notifier

skype-notifier 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As o...

6.5CVSS6.4AI score0.00686EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•7 views

CSRF vulnerability and missing permission checks in failedJobDeactivator allow disabling jobs

failedJobDeactivator 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints. This allows attackers with Overall/Read permission to disable jobs. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...

4.3CVSS4.9AI score0.00553EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•5 views

XSS vulnerability in testng-plugin

testng-plugin has options in its post-build step configuration to not escape test descriptions and exception messages. If those options are unchecked, testng-plugin 554.va4a552116332 and earlier renders the unescaped text provided in test results. This results in a cross-site scripting XSS...

8CVSS5.2AI score0.00567EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

XSS vulnerability in project-inheritance

project-inheritance 21.04.03 and earlier does not escape the reason a build is blocked in tooltips. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to control the reason a queue item is blocked. As of publication of this advisory, there is no fix. Learn why ...

8CVSS5.3AI score0.00567EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•3 views

CSRF vulnerability and missing permission checks in Recipe allow XXE

Recipe 1.2 and earlier does not perform a permission check in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. As the plugin does not configure its XML parser to prevent XML external...

8.8CVSS6.9AI score0.00885EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

Stored XSS vulnerability in ec2-deployment-dashboard

ec2-deployment-dashboard 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Configure permission. As of publication of this advisory, there is no fix. Learn why w...

8CVSS5.3AI score0.00602EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•5 views

Secrets stored in plain text by rocketchatnotifier

rocketchatnotifier 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml on the Jenkins controller as part of its configuration. These secrets can be viewed by users with access to the Jenkins controller file system. As o...

4.3CVSS5AI score0.00701EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

API Key stored in plain text by opsgenie

opsgenie 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration. Additionally, they are transmitted in plain text as part of the respectiv...

4.3CVSS5AI score0.00557EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•3 views

Password stored in plain text by jigomerge

jigomerge 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, the...

6.5CVSS6.4AI score0.00686EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

Missing permission checks in xlrelease-plugin allow enumerating credentials IDs

xlrelease-plugin 22.0.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

4.3CVSS5.6AI score0.00524EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•3 views

Stored XSS vulnerability in build-metrics

build-metrics 1.3 does not escape the build description on one of its views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Build/Update permission. As of publication of this advisory, there is no fix. Learn why we announce this...

8CVSS5.3AI score0.0071EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•5 views

Stored XSS vulnerability in rich-text-publisher-plugin

rich-text-publisher-plugin 1.4 and earlier does not escape the HTML message set by its post-build step. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...

8CVSS5.3AI score0.00567EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•5 views

Password stored in plain text by rqm-plugin

rqm-plugin 2.8 and earlier stores a password unencrypted in its global configuration file net.praqma.jenkins.rqm.RqmBuilder.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this...

6.5CVSS6.4AI score0.00686EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•3 views

Incorrect permission check in rrod

rrod 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page listing pending requests. As of publication of this advisory, there is no fix. Learn why we announce this...

4.3CVSS5AI score0.00557EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•4 views

CSRF vulnerability and missing permission checks in xlrelease-plugin allow capturing credentials

xlrelease-plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...

6.5CVSS6.3AI score0.00647EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•3 views

Stored XSS vulnerability in matrix-reloaded

matrix-reloaded 1.1.3 and earlier does not escape the agent name in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...

7.1CVSS5.3AI score0.00567EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•5 views

Password stored in plain text by ec2-deployment-dashboard

ec2-deployment-dashboard 1.0.10 and earlier stores a password unencrypted in its global configuration file de.codecentric.jenkins.dashboard.DashboardView.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file...

4.3CVSS5.1AI score0.00557EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/06/30 12:0 a.m.•7 views

CSRF vulnerability and missing permission checks in xpath-config-viewer

xpath-config-viewer 1.1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to create and delete XPath expressions. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery...

4.3CVSS4.8AI score0.00553EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464