1464 matches found
Missing permission checks in build-metrics
build-metrics 1.3 and earlier does not perform a permission check in multiple HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. As of publication of this advisory, there is no fix. Learn why we announce this...
Missing permission checks in xlrelease-plugin allow enumerating credentials IDs
xlrelease-plugin 22.0.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Incorrect permission check in requests allows viewing pending requests
requests 2.2.16 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. NOTE: This is basically the same vulnerability as SECURITY-1995, whose fix was ineffective. requests 2.2.17...
CSRF vulnerability and missing permission checks in xlrelease-plugin allow capturing credentials
xlrelease-plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
Stored XSS vulnerability in plot
plot 2.1.10 and earlier does not escape plot descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Configure permission. As of publication of this advisory, there is no fix. Learn why w...
Missing permission checks in ec2-deployment-dashboard allow enumerating credentials IDs
ec2-deployment-dashboard 1.0.10 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anoth...
CSRF vulnerability and missing permission checks in ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. Additionally, these endpoints do not require PO...
Tokens stored in plain text by build-notifications
build-notifications 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration: Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml Slack Bot Token in...
Password stored in plain text by skype-notifier
skype-notifier 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As o...
Token stored in plain text by cisco-spark
cisco-spark 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file org.jenkinsci.plugins.spark.SparkNotifier.xml on the Jenkins controller as part of its configuration. These bearer tokens can be viewed by users with access to the Jenkins controller file system. As of...
Password stored in plain text by rqm-plugin
rqm-plugin 2.8 and earlier stores a password unencrypted in its global configuration file net.praqma.jenkins.rqm.RqmBuilder.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this...
Missing permission check in xpath-config-viewer allows accessing XPath Configuration Viewer page
xpath-config-viewer 1.1.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data to every user...
Passwords stored in plain text by hpe-network-virtualization
hpe-network-virtualization 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file...
Improper authorization in embeddable-build-status bypasses ViewStatus permission requirement
embeddable-build-status 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access. This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or...
CSRF vulnerability and missing permission checks in convertigo-mobile-platform
convertigo-mobile-platform 1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting ...
Reflected XSS vulnerability in nested-view
nested-view 1.20 through 1.25 both inclusive does not escape search parameters. This results in a reflected cross-site scripting XSS vulnerability. nested-view 1.26 escapes search parameters...
Agent-to-controller security bypass in xunit
xunit 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain...
Observable timing discrepancy allows determining username validity
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This...
CSRF vulnerability and missing permission check in vmware-vrealize-orchestrator
vmware-vrealize-orchestrator 3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. Additionally, this HTTP endpoint does not require POST requests, resulting in a...
Passwords stored in plain text by Squash TM Publisher (Squash4Jenkins)
Squash TM Publisher Squash4Jenkins 1.0.0 and earlier stores passwords unencrypted in its global configuration file org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller...
Multiple XSS vulnerabilities
Multiple cross-site scripting XSS vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and JavaScript into the Jenkins UI: SECURITY-2779 CVE-2022-34170: Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name,...
Stored XSS vulnerability in junit
junit 1119.vaa5e9068dad7 and earlier does not escape descriptions of test results. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Run/Update permission. junit 1119.1121.vc43d0fc45561 applies the configured markup formatter to descriptions of test...
Reflected XSS vulnerability in embeddable-build-status
embeddable-build-status 2.0.3 allows specifying a link query parameter that build status badges will link to, without restricting possible values. This results in a reflected cross-site scripting XSS vulnerability. embeddable-build-status 2.0.4 limits URLs to http and https protocols and correctl...
CSRF vulnerability and missing permission checks in jianliao
jianliao 1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in...
CSRF vulnerability and missing permission check in threadfix
threadfix 1.5.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site...
Path traversal vulnerability in embeddable-build-status
embeddable-build-status 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values. This results in a relative path traversal vulnerability, allowing attackers without Overall/Read permission to specify paths ...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Agent Server Parameter 1.1 and earlier SECURITY-2731 / CVE-2022-34183 CRX Content Package Deployer 1.9 and earlier SECURITY-2727 / CVE-2022-34184 Date Parameter Plugin 0.0.4 and earlier SECURITY-2711 /...
User passwords stored in plain text by easyqa
easyqa 1.0 and earlier stores user passwords unencrypted in its global configuration file EasyQAPluginProperties.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory...
Arbitrary file write vulnerability in pipeline-input-step
pipeline-input-step 448.v37cea9a10a70 and earlier allows Pipeline authors to specify file parameters for Pipeline input steps even though they are unsupported. Although the uploaded file is not copied to the workspace, Jenkins archives the file on the controller as part of build metadata using th...
Passwords stored in plain text by convertigo-mobile-platform
convertigo-mobile-platform 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...
CSRF vulnerability and missing permission checks in easyqa
easyqa 1.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. Additionally, this form validation method does not require POST requests, resulting in a...
CSRF vulnerability and missing permission checks in beaker-builder
beaker-builder 1.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a...
Unauthorized view fragment access
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access ...
Multiple SCM plugins can check out from the controller file system
SCMs support a number of different URL schemes, including local file system paths e.g. using file: URLs. Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unles...
User-scoped credentials exposed to other users by blueocean-pipeline-scm-api
When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provid...
Missing permission check in ssh allows enumerating credentials IDs
ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of...
CSRF vulnerability and missing permission checks in ssh allow capturing credentials
ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in workflow-cps
workflow-cps allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In workflow-cps 2689.v434009a31bf1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and...
CSRF vulnerability in script-security
script-security 1158.v7c1b73a69a08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver. This form...
Multiple vulnerabilities in Windows Remote Command library in windows-slaves
windows-slaves 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it. This library has a buffer overflow vulnerability that may allow users able to...
CSRF vulnerability and missing permission checks in blueocean
blueocean 1.25.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to send requests to an attacker-specified URL. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Missing permission check in gitlab-plugin allows enumerating credentials IDs
gitlab-plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
Stored XSS vulnerability in rundeck
rundeck 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads. rundeck 3.6.11 sanitizes URLs submitted in Rundeck webhook payloads...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Application Detector Plugin 1.0.8 and earlier SECURITY-2732 / CVE-2022-30960 Autocomplete Parameter Plugin 1.1 and earlier SECURITY-2729 / CVE-2022-30961 Global Variable String Parameter Plugin 1.2 and...
XXE vulnerability in Storable Configs
Storable Configs 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side...
CSRF vulnerability in Autocomplete Parameter results in RCE
Autocomplete Parameter 1.1 and earlier does not require POST requests for a form validation endpoint executing a provided Groovy script, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary code without sandbox protection if the...
Stored XSS vulnerability in Autocomplete Parameter
Autocomplete Parameter 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
CSRF vulnerability and missing permission checks in publish-over-ftp
publish-over-ftp 1.16 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. Additionally, these form validation methods do not require POST...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Credentials Plugin 1111.v35a307992395 and earlier SECURITY-2690 / CVE-2022-29036 CVS Plugin 2.19 and earlier SECURITY-2700 / CVE-2022-29037 Extended Choice Parameter Plugin 346.vd87693c5a86c and earlier...