1442 matches found
Missing permission check in conjur-credentials allows enumerating credentials IDs
conjur-credentials 1.0.11 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in Chef Sinatra allow XXE
Chef Sinatra 1.20 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse the response as XML. As the plugin does not configure...
CSRF vulnerability and missing permission check in SWAMP allows capturing credentials
SWAMP 1.2.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
DoS vulnerability in bundled XStream library
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library's vulnerability https://x-stream.github.io/CVE-2021-43859.htmlCVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml, build.xml, and numero...
CSRF vulnerability in build triggers
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trigger build of job without...
CSRF vulnerability and missing permission checks in mailer
mailer 391.ve4a38c1bcf4b and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Additionally, this form validation method does n...
Agent-to-controller security bypass in conjur-credentials allows retrieving all credentials
conjur-credentials 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials Credentials Plugin stored on the Jenkins controller. This allows attackers able to control agent processes to retrieve those credentials. As of publication of this...
Missing permission checks in ssh-agent allow enumerating credentials IDs
ssh-agent 1.23 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
Access key stored in plain text by metrics
metrics 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration. This access key can be viewed by users with access to the Jenkins controller file system. metrics 4.0.2.8.1...
User passwords transmitted in plain text by active-directory
active-directory implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode. active-directory 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS...
Non-constant time token comparison in configuration-as-code
configuration-as-code 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. configuration-as-code 1.55.1 now uses a constant-time...
Agent-to-controller security bypass in Debian Package Builder
Debian Package Builder 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller. This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller. As of publication of...
Stored XSS vulnerability in matrix-project
matrix-project 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure permission. matrix-project 1.20 escapes HTML metacharacters in node an...
Missing permission check in credentials-binding allows validating secret file credentials IDs
credentials-binding 1.27 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file. credentials-binding 1.27.1 performs...
OS command execution vulnerability in docker-commons
docker-commons 1.17 and earlier does not sanitize the name of an image or a tag. This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository. docker-commons 1.18...
Missing permission checks in cloudbees-bitbucket-branch-source allow enumerating credentials IDs
cloudbees-bitbucket-branch-source 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the...
CSRF vulnerability in cloudbees-bitbucket-branch-source allows capturing credentials
cloudbees-bitbucket-branch-source 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified...
Path traversal vulnerability in warnings-ng
warnings-ng 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID. This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system. warnings-ng 9.10.3 checks for the presence of...
Stored XSS vulnerability in badge
badge allows adding custom build badges with a custom description and optionally a link to a URL. badge 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge. This results in a stored cross-site scripting XSS vulnerability exploitable by...
Improper credentials masking in hashicorp-vault-plugin
Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy...
Stored XSS vulnerability in Publish Over SSH
Publish Over SSH 1.22 and earlier does not escape the SSH server name. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission checks in Publish Over SSH
Publish Over SSH 1.22 and earlier does not perform permission checks in methods implementing connection tests. This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials. Additionally, these connection tests methods do not...
Path traversal vulnerability in Publish Over SSH
Publish Over SSH 1.22 and earlier performs a validation of the file name specifying whether it is present or not. This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files. As of publication of this...
Password stored in plain text by Publish Over SSH
Publish Over SSH 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publishoverssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. A...
CSRF vulnerability in batch task
batch task 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task. As of publication of this advisory,...
Agent-to-controller security bypass in conjur-credentials allows decrypting secrets
conjur-credentials 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret. This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. As of publicati...
Stored XSS vulnerability in uno-choice
uno-choice 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5.7 escapes references to parameter names...
XXE vulnerability in pom2config
pom2config 1.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or...
Stored XSS vulnerability in scriptler
scriptler 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create Scriptler scripts. scriptler 3.4 escapes the name of scripts on the UI when asking...
XXE vulnerability in performance
performance 3.20 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or...
XXE vulnerability in dependency-check-jenkins-plugin
dependency-check-jenkins-plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins...
Agent-to-controller security bypass in Squash TM Publisher (Squash4Jenkins) allows writing arbitrary files
Squash TM Publisher Squash4Jenkins 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input. This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JS...
Path traversal vulnerability in subversion allows reading arbitrary files
subversion 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. subversion 2.15.1 checks for the presence ...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary...
Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers...
Agent-to-controller access control allows reading/writing most content of build directories
Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related...
Path traversal vulnerability on Windows
The file browser for workspaces, archived artifacts, and userContent/ in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission Windows controller o...
Stored XSS vulnerability in git
git 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the...
Improper handling of equivalent directory names on Windows
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names. On Windows, when specifying a file or folder with a trailing dot character example., the file or folder will be treated as if that character was not present example. As both are legal names f...
Jenkins core bundles vulnerable version of the commons-httpclient library
Jenkins 2.314 and earlier, LTS 2.303.1 and earlier bundles a version of the commons-httpclient library with the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2014-3577CVE-2014-3577 that incorrectly verified SSL/TLS certificates, making it susceptible to man-in-the-middle attacks. This librar...
XXE vulnerability in nested-view
nested-view 1.20 and earlier does not configure its XML transformer to prevent XML external entity XXE attacks. This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or...
Password stored in plain text by nomad
nomad 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration. These passwords can be viewed by users with access to the Jenkins controller file system. nom...
RCE vulnerability in code-coverage-api
code-coverage-api 1.4.0 and earlier does not apply https://github.com/jenkinsci/jep/tree/master/jep/200JEP-200 deserialization protection to Java objects it deserializes from disk. This results in a remote code execution RCE vulnerability exploitable by attackers able to control agent processes...
saml allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. saml implements this extension point for the URL that users are redirected to after login. In saml 2.0.7 and earlier this implementation is too permissive, allowing attackers t...
azure-ad allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. azure-ad implements this extension point for URLs used by a JavaScript component. In azure-ad 179.vf6841393099e and earlier this implementation is too permissive, allowing...
Missing permission check in requests allows viewing pending requests
requests 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. requests 2.2.7 requires Overall/Administer permission to view the list of pending requests. NOTE: The previous sentence...
Session fixation vulnerability
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1. Jenkins 2.300, LTS 2.289.2...
XXE vulnerability in seleniumhtmlreport
seleniumhtmlreport 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of...
Missing permission check in requests allows sending emails
requests 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. requests 2.2.8 requires Overall/Administer permission to send test emails...
CSRF vulnerabilities in requests
requests 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleti...