Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and JavaScript into the Jenkins UI: SECURITY-2779 CVE-2022-34170: Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name,...

Observable timing discrepancy allows determining username validity

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This...

Stored XSS vulnerability in junit

junit 1119.vaa5e9068dad7 and earlier does not escape descriptions of test results. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Run/Update permission. junit 1119.1121.vc43d0fc45561 applies the configured markup formatter to descriptions of test...

Path traversal vulnerability in embeddable-build-status

embeddable-build-status 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values. This results in a relative path traversal vulnerability, allowing attackers without Overall/Read permission to specify paths ...

Improper authorization in embeddable-build-status bypasses ViewStatus permission requirement

embeddable-build-status 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access. This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or...

Passwords stored in plain text by convertigo-mobile-platform

convertigo-mobile-platform 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...

Agent-to-controller security bypass in xunit

xunit 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain...

Stored XSS vulnerabilities in multiple plugins providing additional parameter types

Multiple plugins do not escape the name and description of the parameter types they provide: Agent Server Parameter 1.1 and earlier SECURITY-2731 / CVE-2022-34183 CRX Content Package Deployer 1.9 and earlier SECURITY-2727 / CVE-2022-34184 Date Parameter Plugin 0.0.4 and earlier SECURITY-2711 /...

CSRF vulnerability and missing permission checks in beaker-builder

beaker-builder 1.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a...

CSRF vulnerability and missing permission check in threadfix

threadfix 1.5.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site...

Passwords stored in plain text by Squash TM Publisher (Squash4Jenkins)

Squash TM Publisher Squash4Jenkins 1.0.0 and earlier stores passwords unencrypted in its global configuration file org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller...

CSRF vulnerability and missing permission check in vmware-vrealize-orchestrator

vmware-vrealize-orchestrator 3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. Additionally, this HTTP endpoint does not require POST requests, resulting in a...

Multiple SCM plugins can check out from the controller file system

SCMs support a number of different URL schemes, including local file system paths e.g. using file: URLs. Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unles...

Multiple vulnerabilities in Windows Remote Command library in windows-slaves

windows-slaves 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it. This library has a buffer overflow vulnerability that may allow users able to...

XXE vulnerability in Storable Configs

Storable Configs 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side...

Stored XSS vulnerability in rundeck

rundeck 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads. rundeck 3.6.11 sanitizes URLs submitted in Rundeck webhook payloads...

CSRF vulnerability in script-security

script-security 1158.v7c1b73a69a08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver. This form...

CSRF vulnerability and missing permission checks in blueocean

blueocean 1.25.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to send requests to an attacker-specified URL. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...

Missing permission check in gitlab-plugin allows enumerating credentials IDs

gitlab-plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...

CSRF vulnerability and missing permission checks in ssh allow capturing credentials

ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

Stored XSS vulnerabilities in multiple plugins providing additional parameter types

Multiple plugins do not escape the name and description of the parameter types they provide: Application Detector Plugin 1.0.8 and earlier SECURITY-2732 / CVE-2022-30960 Autocomplete Parameter Plugin 1.1 and earlier SECURITY-2729 / CVE-2022-30961 Global Variable String Parameter Plugin 1.2 and...

Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in workflow-cps

workflow-cps allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In workflow-cps 2689.v434009a31bf1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and...

User-scoped credentials exposed to other users by blueocean-pipeline-scm-api

When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provid...

Missing permission check in ssh allows enumerating credentials IDs

ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of...

CSRF vulnerability in Autocomplete Parameter results in RCE

Autocomplete Parameter 1.1 and earlier does not require POST requests for a form validation endpoint executing a provided Groovy script, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary code without sandbox protection if the...

Stored XSS vulnerability in Autocomplete Parameter

Autocomplete Parameter 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...

Promotion names in promoted-builds are not validated when using Job DSL

promoted-builds provides dedicated support for defining promotions using Job DSL Plugin. promoted-builds 873.v6149dbd64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a...

Private key stored in plain text by google-compute-engine

google-compute-engine 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration. These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system...

Stored XSS vulnerabilities in multiple plugins providing additional parameter types

Multiple plugins do not escape the name and description of the parameter types they provide: Credentials Plugin 1111.v35a307992395 and earlier SECURITY-2690 / CVE-2022-29036 CVS Plugin 2.19 and earlier SECURITY-2700 / CVE-2022-29037 Extended Choice Parameter Plugin 346.vd87693c5a86c and earlier...

Untrusted users can modify some Pipeline libraries in workflow-cps-global-lib

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definitio...

CSRF vulnerability in subversion

subversion 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to connect to an attacker-specified URL. subversion 2.15.4 requires POST requests for the affected...

CSRF vulnerability and missing permission checks in publish-over-ftp

publish-over-ftp 1.16 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. Additionally, these form validation methods do not require POST...

Missing permission checks in atlassian-bitbucket-server-integration

atlassian-bitbucket-server-integration 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. atlassian-bitbucket-server-integration 3.2.0 requires Overall/System Re...

Passwords stored in plain text by instant-messaging

instant-messaging provides a framework for plugins integrating Jenkins with instant messaging services. instant-messaging 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on instant-messaging on the Jenkins controller. These passwords...

CSRF vulnerability and missing permission check in JiraTestResultReporter

JiraTestResultReporter 165.v817928553942 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Additionally, this form validation...

XSS vulnerability in ci-with-toad-edge

ci-with-toad-edge 2.3 and earlier uses a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core DirectoryBrowserSupport to serve reports. This fork removes the Content-Security-Policy header functionality introduced for SECURITY-9...

Missing permission check in ci-with-toad-edge

ci-with-toad-edge 2.3 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. ci-with-toad-edge 2.4 requires...

XXE vulnerability in Pipeline: Phoenix AutoTest

Pipeline: Phoenix AutoTest 1.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of...

Arbitrary file read vulnerability in selected-tests-executor

selected-tests-executor 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller using the Choosing Tests parameter. As of publication of this advisory, there is no fix. Learn why we announce this...

Password stored in plain text by proxmox

proxmox 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. proxmox 0.6.0 stores the Proxmox Datacenter...

XXE vulnerability in covcomplplot

covcomplplot 1.1.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Public Coverage / Complexity Scatter Plot' post-build step to have Jenkins parse a crafted file that uses external entities f...

Arbitrary file read vulnerability in Pipeline: Phoenix AutoTest

Pipeline: Phoenix AutoTest 1.3 and earlier implements a Pipeline step ftp to upload files to an FTP server without limiting the source directory. This allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server...

Missing permission checks in Pipeline: Phoenix AutoTest allow enumerating credentials IDs

Pipeline: Phoenix AutoTest 1.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...

Stored XSS vulnerability in selected-tests-executor

selected-tests-executor 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix...

Path traversal vulnerability on Windows in ci-with-toad-edge

ci-with-toad-edge 2.3 and earlier uses a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core DirectoryBrowserSupport to serve reports. The fork did not receive the fix for SECURITY-2481 in Jenkins 2.315 and LTS 2.303.2. This...

Stored XSS vulnerability in ownership

ownership 0.13.0 and earlier does not escape the names of secondary owners. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...

CSRF vulnerability in ownership

ownership 0.13.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to restore the default ownership of a job. As of publication of this advisory, there is no fix. Learn why we announce...

Stored XSS vulnerability in atlassian-bitbucket-server-integration

atlassian-bitbucket-server-integration 2.0.0 through 3.1.0 inclusive does not limit URL schemes for callback URLs on OAuth consumers. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create BitBucket Server consumers...

Stored XSS vulnerability in sitemonitor

sitemonitor 0.6 and earlier does not escape URLs of sites to monitor in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...

CSRF vulnerability and missing permission check in rocketchatnotifier

rocketchatnotifier 1.4.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method...