1464 matches found
Stored XSS vulnerability in uno-choice
uno-choice 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5.7 escapes references to parameter names...
Stored XSS vulnerability in scriptler
scriptler 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create Scriptler scripts. scriptler 3.4 escapes the name of scripts on the UI when asking...
XXE vulnerability in performance
performance 3.20 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or...
Agent-to-controller security bypass in Squash TM Publisher (Squash4Jenkins) allows writing arbitrary files
Squash TM Publisher Squash4Jenkins 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input. This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JS...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary...
Agent-to-controller access control allows reading/writing most content of build directories
Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related...
Path traversal vulnerability in subversion allows reading arbitrary files
subversion 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. subversion 2.15.1 checks for the presence ...
Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers...
Improper handling of equivalent directory names on Windows
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names. On Windows, when specifying a file or folder with a trailing dot character example., the file or folder will be treated as if that character was not present example. As both are legal names f...
Jenkins core bundles vulnerable version of the commons-httpclient library
Jenkins 2.314 and earlier, LTS 2.303.1 and earlier bundles a version of the commons-httpclient library with the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2014-3577CVE-2014-3577 that incorrectly verified SSL/TLS certificates, making it susceptible to man-in-the-middle attacks. This librar...
Path traversal vulnerability on Windows
The file browser for workspaces, archived artifacts, and userContent/ in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission Windows controller o...
Stored XSS vulnerability in git
git 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the...
azure-ad allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. azure-ad implements this extension point for URLs used by a JavaScript component. In azure-ad 179.vf6841393099e and earlier this implementation is too permissive, allowing...
Password stored in plain text by nomad
nomad 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration. These passwords can be viewed by users with access to the Jenkins controller file system. nom...
XXE vulnerability in nested-view
nested-view 1.20 and earlier does not configure its XML transformer to prevent XML external entity XXE attacks. This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or...
RCE vulnerability in code-coverage-api
code-coverage-api 1.4.0 and earlier does not apply https://github.com/jenkinsci/jep/tree/master/jep/200JEP-200 deserialization protection to Java objects it deserializes from disk. This results in a remote code execution RCE vulnerability exploitable by attackers able to control agent processes...
saml allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. saml implements this extension point for the URL that users are redirected to after login. In saml 2.0.7 and earlier this implementation is too permissive, allowing attackers t...
XXE vulnerability in seleniumhtmlreport
seleniumhtmlreport 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of...
Improper permission checks allow canceling queue items and aborting builds
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types ...
Open redirect vulnerability in cas-plugin
cas-plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. cas-plugin 1.6....
Missing permission check in requests allows viewing pending requests
requests 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. requests 2.2.7 requires Overall/Administer permission to view the list of pending requests. NOTE: The previous sentence...
CSRF vulnerabilities in requests
requests 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleti...
Missing permission check in requests allows sending emails
requests 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. requests 2.2.8 requires Overall/Administer permission to send test emails...
Session fixation vulnerability
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1. Jenkins 2.300, LTS 2.289.2...
XXE vulnerability in generic-webhook-trigger
generic-webhook-trigger 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to call webhooks configured to extract parameters using XPath to have Jenkins parse a crafted XML request body that uses external entities...
Stored XSS vulnerability in scriptler
scriptler 3.2 and earlier does not escape parameter names shown in job configuration forms. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Scriptler/Configure permission. scriptler 3.3 escapes parameter names shown in job configuration forms...
Stored XSS vulnerability in scriptler
scriptler 3.1 and earlier does not escape script content. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Scriptler/Configure permission. scriptler 3.2 escapes script content...
CSRF vulnerability and missing permission check in deployit-plugin allows capturing credentials
deployit-plugin 10.0.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Missing permission checks allow enumerating credentials IDs in kubernetes-cli
kubernetes-cli 1.10.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing permission check in deployit-plugin allows enumerating credentials IDs
deployit-plugin 10.0.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials usin...
Reflected XSS vulnerability in kiuwanJenkinsPlugin
kiuwanJenkinsPlugin 1.6.0 and earlier does not escape output that can indirectly be controlled through query parameters in an error message for a form validation endpoint. This results in a reflected cross-site scripting XSS vulnerability. NOTE: Only older releases of Jenkins are affected by this...
XXE vulnerability in fstrigger
fstrigger 0.40 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Job/Configure permission or otherwise able to control the contents of an XML file being polled for changes to have Jenkins parse a crafted XML document that uses...
XXE vulnerability in urltrigger
urltrigger 0.48 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML...
XXE vulnerability in nuget
nuget 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This XML parser is used for the "Build on NuGet updates" feature. This allows attackers with the ability to control the contents of the packages.config file in a workspace to have Jenkins parse a...
XSS vulnerability in markdown-formatter
markdown-formatter 0.1.0 and earlier uses a Markdown library to parse Markdown that does not escape crafted link target URLs. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup...
Stored XSS vulnerability in dashboard-view
dashboard-view 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Configure permission. dashboard-view 2.16 does not render unsafe URLs. As part of this fix, the property...
Missing permission check in s3
s3 0.11.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain the list of configured profiles. s3 0.11.7 performs permission checks when providing a list of configured profiles...
CSRF vulnerability and missing permission checks in p4
p4 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints implementing connection tests. This allows attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password. Additionally, these HTTP...
Reflected XSS vulnerability in credentials
credentials 2.3.18 and earlier does not escape user-controlled information on a view it provides. This results in a reflected cross-site scripting XSS vulnerability. credentials 2.3.19 restricts the user-controlled information it provides to a safe subset...
Missing permission checks in s3 allow obtaining metadata about artifacts
s3 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models. This allows attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled. s3 0.11.7 requires...
CSRF vulnerability in xray-connector allows capturing credentials
xray-connector 2.4.0 and earlier does not require POST requests for a connection test method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...
Missing permission check in xray-connector allows enumerating credentials IDs
xray-connector 2.4.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
XXE vulnerability in xcode-plugin
xcode-plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the Xcode build step to have Jenkins parse a crafted Xcode Workspace File that uses external entities for extraction of secrets...
Missing permission check in electricflow allows scheduling builds
electricflow 1.1.21 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. electricflow 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint...
XXE vulnerability in config-file-provider
config-file-provider 3.7.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets...
CSRF vulnerability in config-file-provider allows deleting configuration files
config-file-provider 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix o...
Remote code execution vulnerability in templating-engine
templating-engine 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin. This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. templating-engine 2.2 integrates with Script...
Incorrect permission checks in config-file-provider allow enumerating credentials IDs
config-file-provider 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture...
Missing permission checks in config-file-provider allow enumerating configuration file IDs
config-file-provider 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in config-file-provider 3.7.1 requires the appropriate permissions...
Denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.285 and earlier, LTS...