Support bundles can include user session IDs in support-core

support-core 2.72 and earlier provides the serialized user authentication as part of the "About user basic authentication details only" information user.md. In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle...

XSS vulnerability in claim

claim 2.18.1 and earlier does not escape the user display name shown in claims. This results in a cross-site scripting XSS vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins. NOTE: Everyone...

Stored XSS vulnerability in artifact-repository-parameter

artifact-repository-parameter 1.0.0 and earlier does not escape parameter names and descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. artifact-repository-parameter 1.0.1 escapes parameter names and descriptions...

CSRF vulnerability in configurationslicing

configurationslicing 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs...

Stored XSS vulnerability in uno-choice

uno-choice 2.5.2 and earlier does not escape reference parameter values. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5.3 escapes reference parameter values...

Privilege escalation vulnerability in bundled Spring Security library

Spring Security 5.4.3 and earlier has a vulnerability that unintentionally persists temporarily elevated privileges in some circumstances in a user's session. This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4. Jenkins 2.266 through 2.279 inclusive includes releases of Spring Securi...

Arbitrary file read vulnerability in workspace browsers

Due to a time-of-check to time-of-use TOCTOU race condition, the file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2. This allows attackers with Job/Workspace...

Reflected XSS vulnerability in markup formatter preview

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered. Jenkins 2.274 and earlier, LTS...

Improper handling of REST API XML deserialization errors

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards t...

Arbitrary file existence check in file fingerprints

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint...

Missing permission check for paths with specific prefix

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with...

XSS vulnerability in notification bar

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents typically shown after form submissions via Apply button. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to influence notification bar contents. Jenkins...

Stored XSS vulnerability in button labels

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the...

Path traversal vulnerability in agent names

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. Jenkins...

XSS vulnerability in tics

tics 2020.3.0.6 and earlier does not escape TICS service responses. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to control TICS service response content. tics 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate...

Stored XSS vulnerability on new item page

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to specify display names or IDs of item types. NOTE: As of the publicati...

Arbitrary file read vulnerability in workspace browsers

The file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspac...

Excessive memory allocation in graph URLs leads to denial of service

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters. This allows attackers to request or to...

Credentials stored in plain text by ecutest

ecutest 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration. These credentials can be viewed by users with access to the Jenkins...

Credentials stored in plain text by bumblebee

bumblebee 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration. These credentials can be viewed by users with access to the Jenkins controller file system...

XXE vulnerability in cvs

cvs 2.16 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side...

CSRF vulnerability in shelve-project-plugin

shelve-project-plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to shelve, unshelve, or delete a project. shelve-project-plugin 3.1 requires POST requests for the affected...

Missing permission checks in chaos-monkey

chaos-monkey 0.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to generate load and to generate memory leaks. chaos-monkey 0.4 requires Overall/Administer permission to generate load and to generate memory leaks...

Plugin Installation Manager Tool did not verify plugin downloads

Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running. Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as...

Missing permission checks in chaos-monkey

chaos-monkey 0.4 and earlier does not perform permission checks in an HTTP endpoint. This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions. chaos-monkey 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and ...

XXE vulnerability in visualworks-store

visualworks-store 1.1.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file...

Authentication cache in active-directory allows logging in with any password

active-directory implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time, a cache can be configured to remember user lookups and user authentications. In active-directory 2.19 and earlier, when run in Windows/ADSI mode...

XXE vulnerability in subversion

subversion 2.13.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or...

Missing permission check in mercurial

mercurial 2.11 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. mercurial 2.12 performs permission checks when listing configured Mercurial installations...

Missing permission check in kubernetes allows listing pod templates

kubernetes 1.27.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to list global pod template names. kubernetes 1.27.4 requires Overall/Administer permission to list global pod template names...

Missing permission check in kubernetes allows enumerating credentials IDs

kubernetes 1.27.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. A...

Missing permission check in aws-global-configuration allows replacing plugin configuration

aws-global-configuration 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions. This allows attackers with Overall/Read permission to replace the global AWS configuration. aws-global-configuration 1.6 properly performs permission checks when processin...

Password written to the build log by sqlplus-script-runner

sqlplus-script-runner 2.0.12 and earlier prints the sqlplus command invocation to the build log. This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission. sqlplus-script-runner 2.0.13 no longer prints t...

Password stored in plain text by jenkinsci-appspider-plugin

jenkinsci-appspider-plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system...

Login allowed with hardcoded password by active-directory

active-directory implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. The LDAP-based mode in active-directory 2.19 and earlier shares code between user lookup and user authentication and distinguishes these behaviors through the use of a magic...

Login allowed with empty password by active-directory

active-directory implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. The Windows/ADSI mode does not specifically prohibit use of empty passwords in active-directory 2.19 and earlier. If the Active Directory server allows the unauthenticated bind...

Missing permission check in active-directory allows accessing domain health check page

active-directory 2.19 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the domain health check diagnostic page. active-directory 2.20 requires Overall/Administer permission to access the domain health check diagnosti...

Missing permission checks in azure-keyvault allow enumerating credentials IDs

azure-keyvault 2.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Password stored in plain text by labmanager

labmanager 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

CSRF vulnerability in active-directory

active-directory 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to perform connection tests, connecting to...

XXE vulnerability in mercurial

mercurial 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controlle...

Jenkins controller environment variables accessible in kubernetes

kubernetes 1.27.3 and earlier includes a feature to replace placeholders in pod template and container template fields with environment variable values. This feature allows low-privilege users to access possibly sensitive Jenkins controller environment variables. kubernetes 1.27.4 disables this...

Missing permission checks in ansible allow enumerating credentials IDs

ansible 1.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Stored XSS vulnerability in Static Analysis Utilities

Static Analysis Utilities 1.96 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...

Stored XSS vulnerability in FindBugs

FindBugs 5.0.0 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to FindBugs's post build step. As of publication of this advisory, there is no fix...

Passwords stored in plain text by mailcommander

mailcommander 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisor...

Incorrect default pattern in audit-trail

audit-trail uses regular expressions to match requested URLs whose dispatch should be logged. In audit-trail 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling. audit-trail 3.7 changes...

Request logging could be bypassed in audit-trail

audit-trail logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in audit-trail 3.6 and earlier. This only...

Stored XSS vulnerability in uno-choice

uno-choice 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. This issue is caused by an incomplete fix for...

Arbitrary file read vulnerability in Persona

Persona 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller. As of publication of this advisory, there is no fix...