1442 matches found
XXE vulnerability in flaky-test-handler
flaky-test-handler 1.2.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or...
SSL/TLS certificate validation globally disabled by proxmox
proxmox 0.6.0 and earlier disables SSL/TLS certificate validation for the entire Jenkins controller JVM when configured to ignore SSL/TLS issues. proxmox 0.7.0 no longer disables SSL/TLS certificate validation for the entire Jenkins controller JVM...
CSRF vulnerability and missing permission checks in proxmox
proxmox 0.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to: connect to an attacker-specified host using attacker-specified username and password, performing a connection test, disable SSL/TLS validation for the...
Arbitrary file read vulnerability in ci-with-toad-edge
ci-with-toad-edge 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps. ci-with-toad-edge 2.4 only allows copying files from the node the build is...
CSRF vulnerability and missing permission check in ownership
ownership 0.13.0 and earlier does not perform a permission check in several HTTP endpoints. This allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. Additionally, this endpoint does not require POST requests, resulting in a cross-site request...
Path traversal vulnerability in Pipeline: Phoenix AutoTest allows reading arbitrary files
Pipeline: Phoenix AutoTest 1.3 and earlier implements a Pipeline step copy to copy files from the running build's directory on the Jenkins controller to an agent without sanitizing the path specified. This allows attackers with Item/Configure permission to copy arbitrary files and directories fro...
Arbitrary JSON and property file read vulnerability in extended-choice-parameter
extended-choice-parameter 346.vd87693c5a86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission checks in extended-choice-parameter allow SSRF
extended-choice-parameter 346.vd87693c5a86c and earlier does not perform a permission check on form validation methods. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these form validation methods do not require POST requests, resulting i...
Stored XSS vulnerability in favorite
favorite 2.4.0 and earlier does not escape the names of jobs in the favorite column. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure or Item/Create permissions. favorite 2.4.1 escapes the names of jobs in the favorite column...
Arbitrary file read vulnerability in kubernetes-cd
kubernetes-cd contributes the 'Kubernetes configuration kubeconfig' credential type. kubernetes-cd 2.3.1 and earlier allows users with Credentials/Create or Credentials/Update permission to read arbitrary files on the Jenkins controller by defining a 'From a file on the Jenkins master' Kubeconfig...
CSRF vulnerability and missing permission checks in kubernetes-cd allow capturing credentials
kubernetes-cd 2.3.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Passwords stored in plain text by vmware-vrealize-codestream
vmware-vrealize-codestream 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...
Agent-to-controller security bypass in semantic-versioning-plugin
semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and returns version information. The XML parser is not configured to prevent XML external entity XXE attacks, which is only a problem if XML documents are parsed on the Jenkins controller...
Client Secret stored in plain text by gitlab-oauth
gitlab-oauth 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This client secret can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is...
Stored XSS vulnerability in global-build-stats
global-build-stats 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. As of publication of this advisory, there is...
Stored XSS vulnerability in Environment Dashboard
Environment Dashboard 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Configure permission. As of publication of this advisory,...
Sensitive parameter values captured in build metadata files by parameterized-trigger
parameterized-trigger 2.43 and earlier captures environment variables passed to builds triggered using parameterized-trigger, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file...
Stored XSS vulnerability in dashboard-view
dashboard-view 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views. dashboard-view 2.18.1 performs URL validation for the Iframe Portlet's Ifra...
CSRF vulnerability and missing permission checks in aws-credentials
aws-credentials 189.v3551d5642995 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. Additionally, this form validation method does not require...
Stored XSS vulnerability in folder-auth
folder-auth 1.3 and earlier does not escape the names of roles shown on the configuration form. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. folder-auth 1.4 escapes the names of roles shown on the configuration form...
Stored XSS vulnerability in extended-choice-parameter
extended-choice-parameter 346.vd87693c5a86c and earlier does not escape the value and description of Extended Choice Parameters with parameter type 'Radio Buttons' or 'Check Boxes'. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
Missing permission checks in kubernetes-cd allow enumerating credentials IDs
kubernetes-cd 2.3.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Stored XSS vulnerability in list-git-branches-parameter
list-git-branches-parameter 0.0.9 and earlier does not escape the name or default value of the 'List Git branches and more' parameter. Additionally, list-git-branches-parameter explicitly disables a protection mechanism introduced in Jenkins 2.44 and LTS 2.32.2 to prevent exploitation of unescape...
CSRF vulnerability and missing permission checks in release-helper
release-helper 1.3.3 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method does...
Passwords stored in plain text by dbCharts
dbCharts 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file hudson.plugins.dbcharts.DbChartPublisher.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. A...
Personal tokens stored in plain text by incapptic connect uploader
incapptic connect uploader 1.15 and earlier stores personal tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication ...
Sandbox bypass vulnerability in workflow-cps-global-lib
workflow-cps-global-lib 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration. This allows attackers with Item/Configure permission to execute arbitrar...
Sensitive data stored in plain text by support-core
support-core has a feature to redact potentially sensitive information in the support bundle. support-core 2.79 and earlier does not redact some sensitive information in the support bundle. This sensitive information can be viewed by anyone with access to the bundle. support-core 2.79.1 adds a li...
CSRF vulnerability and missing permission check in SWAMP allows capturing credentials
SWAMP 1.2.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
Vulnerabilities in multiple Pipeline-related plugins allow reading arbitrary files on the controller
Multiple Pipeline-related plugins follow symbolic links or do not limit path names, resulting in arbitrary file read vulnerabilities: - Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading...
Agent-to-controller security bypass in hashicorp-vault-plugin allows reading arbitrary files
hashicorp-vault-plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. NOTE: This...
Agent-to-controller security bypass vulnerability in doktor
doktor 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc. Additionally, error messages allow attackers able to control agent processes to determine whether a file with a given name exists. As of publication of this...
OS command execution vulnerabilities in Pipeline-related plugins
Multiple Pipeline-related plugins that perform on-controller SCM checkouts reuse the same workspace directory for checkouts of distinct SCMs in some contexts. - Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file...
Sandbox bypass vulnerability in workflow-cps-global-lib
workflow-cps-global-lib 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create directories without canonicalization or sanitization. This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially...
Password parameter default values exposed by pipeline-build-step
pipeline-build-step 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator. This allows attackers with Item/Read permission to retrieve the default password parameter value from jobs. pipeline-build-step 2.15.1 redacts...
CSRF vulnerability and missing permission checks in embotics-vcommander allow capturing credentials
embotics-vcommander 1.10 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing...
Open redirect vulnerability in gitlab-oauth
gitlab-oauth 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts and redirects users to that URL when the user has finished logging in. This allows attackers with access to Jenkins to craft a URL that will redirect users to a...
Stored XSS vulnerability in generic-webhook-trigger
generic-webhook-trigger 1.81 and earlier does not escape the build cause for the webhook. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to trigger builds using the webhook. generic-webhook-trigger 1.82 escapes the build cause when displayed on the U...
Path traversal vulnerability in fortify
fortify 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, which are used to write to files inside build directories. This allows attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with...
Stored XSS vulnerability in custom-checkbox-parameter
custom-checkbox-parameter 1.1 and earlier does not escape parameter names of custom checkbox parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. custom-checkbox-parameter 1.2 escapes parameter names of custom checkbo...
Missing permission check in conjur-credentials allows enumerating credentials IDs
conjur-credentials 1.0.11 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Stored XSS vulnerability in agent-server-parameter
agent-server-parameter 1.0 and earlier does not escape parameter names of agent server parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. agent-server-parameter 1.1 escapes parameter names of agent server parameters...
CSRF vulnerability and missing permission check in autonomiq
autonomiq 1.15 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting...
Missing synchronization vulnerability in convertigo-mobile-platform allow to capture passwords
convertigo-mobile-platform 1.1 and earlier uses static fields to store job configuration information. This allows attackers with Item/Configure permission to capture passwords of the jobs that will be configured. As of publication of this advisory, there is no fix. Learn why we announce this...
Sensitive information disclosure in workflow-cps
workflow-cps 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds. This allows attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline. workflow-cps 2656.vf7ae7b75a457 does not allow...
Sandbox bypass vulnerability in workflow-cps-global-lib
workflow-cps-global-lib 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization. This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted...
Agent-to-controller security bypass in hashicorp-vault-plugin
hashicorp-vault-plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent. This allows attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key. The functionality that allow agen...
CSRF vulnerability and missing permission check in scp
scp 1.8 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified username and password. Additionally, this form validation method does not...
CSRF vulnerability and missing permission checks in checkmarx allow capturing credentials
checkmarx 2022.1.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Stored XSS vulnerability in promoted-builds-simple
promoted-builds-simple 1.9 and earlier does not escape the name of custom promotion levels. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. As of publication of this advisory, there is no fix. Learn why we announce this...