1464 matches found
Missing permission check in mercurial
mercurial 2.11 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. mercurial 2.12 performs permission checks when listing configured Mercurial installations...
Missing permission check in kubernetes allows enumerating credentials IDs
kubernetes 1.27.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. A...
Missing permission checks in ansible allow enumerating credentials IDs
ansible 1.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Password written to the build log by sqlplus-script-runner
sqlplus-script-runner 2.0.12 and earlier prints the sqlplus command invocation to the build log. This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission. sqlplus-script-runner 2.0.13 no longer prints t...
Stored XSS vulnerability in FindBugs
FindBugs 5.0.0 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to FindBugs's post build step. As of publication of this advisory, there is no fix...
Login allowed with empty password by active-directory
active-directory implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. The Windows/ADSI mode does not specifically prohibit use of empty passwords in active-directory 2.19 and earlier. If the Active Directory server allows the unauthenticated bind...
Missing permission check in active-directory allows accessing domain health check page
active-directory 2.19 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the domain health check diagnostic page. active-directory 2.20 requires Overall/Administer permission to access the domain health check diagnosti...
XXE vulnerability in subversion
subversion 2.13.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or...
XXE vulnerability in mercurial
mercurial 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controlle...
Missing permission check in kubernetes allows listing pod templates
kubernetes 1.27.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to list global pod template names. kubernetes 1.27.4 requires Overall/Administer permission to list global pod template names...
Password stored in plain text by labmanager
labmanager 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Jenkins controller environment variables accessible in kubernetes
kubernetes 1.27.3 and earlier includes a feature to replace placeholders in pod template and container template fields with environment variable values. This feature allows low-privilege users to access possibly sensitive Jenkins controller environment variables. kubernetes 1.27.4 disables this...
Missing permission checks in azure-keyvault allow enumerating credentials IDs
azure-keyvault 2.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Password stored in plain text by jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system...
XXE vulnerability in visualworks-store
visualworks-store 1.1.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file...
Passwords stored in plain text by mailcommander
mailcommander 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisor...
Missing permission check in aws-global-configuration allows replacing plugin configuration
aws-global-configuration 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions. This allows attackers with Overall/Read permission to replace the global AWS configuration. aws-global-configuration 1.6 properly performs permission checks when processin...
Stored XSS vulnerability in Static Analysis Utilities
Static Analysis Utilities 1.96 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Improper authorization due to caching in role-strategy
role-strategy 2.12 and newer uses a cache to speed up permission lookups. In role-strategy 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no...
Request logging could be bypassed in audit-trail
audit-trail logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in audit-trail 3.6 and earlier. This only...
CSRF vulnerability in shared-objects
shared-objects 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to configure shared objects. As of publication of this advisory, there is no fix...
Incorrect default pattern in audit-trail
audit-trail uses regular expressions to match requested URLs whose dispatch should be logged. In audit-trail 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling. audit-trail 3.7 changes...
Stored XSS vulnerability in uno-choice
uno-choice 2.4 and earlier does not escape the name and description of build parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5 escapes the name of build parameters and applies the configured markup...
Stored XSS vulnerability in uno-choice
uno-choice 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. This issue is caused by an incomplete fix for...
Password stored in plain text by couchdb-statistics
couchdb-statistics 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file...
Stored XSS vulnerability in release
release 2.10.2 and earlier does not escape the release version in the badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Release/Release permission. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in Persona
Persona 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller. As of publication of this advisory, there is no fix...
Access token stored in plain text by sms
sms 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration. This access token can be viewed by users with access to the Jenkins controller file system. As of publicatio...
XXE vulnerability in Nerrvana
Nerrvana 1.02.06 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controlle...
CSRF vulnerability and missing permission checks in maven-release-cascade
maven-release-cascade 1.3.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin. Additionally, these endpoints do not require POST requests, resulting in ...
Missing permission check in implied-labels allows reconfiguring the plugin
implied-labels 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to configure the plugin. implied-labels 0.7 requires Overall/Administer permission to configure the plugin...
CSRF vulnerability in lockable-resources
lockable-resources 2.8 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to reserve, unreserve, unlock, and reset resources. lockable-resources 2.9 requires POST requests for the...
Stored XSS vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. liquibase-runner 1.4.7 no longer suppor...
XXE vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from t...
Missing permission check in liquibase-runner allows enumerating credentials IDs
liquibase-runner 1.4.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability in warnings allows remote code execution
warnings 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary code. warnings 5.0.2 requires POST requests f...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Missing permission check in perfecto
perfecto 1.17 and earlier does not perform a permission check in a method implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. perfecto 1.18 requires Overall/Administer...
Stored XSS vulnerability in android-lint
android-lint 2.6 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step. As of publication of this advisory, there i...
Stored XSS vulnerability in chosen-views-tabbar
chosen-views-tabbar 1.2 and earlier does not escape view names in the dropdown to select views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with the ability to configure views. As of publication of this advisory, there is no fix...
Missing hostname validation in mailer
mailer 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. mailer 1.32.1 validates the SMTP hostname when connecting via TLS by default. In...
Path traversal vulnerability in blueocean
blueocean 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GITREADSAVETYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system. blueocean 1.23.3 no longer...
Stored XSS vulnerability in upstream cause in pipeline-maven
pipeline-maven 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. pipeline-maven 3.9.3 escapes upstream job names in build causes...
Stored XSS vulnerability in validating-string-parameter
validating-string-parameter 2.4 and earlier does not escape regular expressions in tooltips. Additionally, validating-string-parameter 2.4 does not escape parameter names and parameter descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with...
Incorrect permission check in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. cloudbees-jenkins-advisor 3.2.1 requires Overall/Administer to view its administrative...
Stored XSS vulnerability in computer-queue-plugin
computer-queue-plugin 1.5 and earlier does not escape the agent name in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure permission. computer-queue-plugin 1.6 escapes the agent name in tooltips...
OS command execution vulnerability in perfecto
perfecto allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations. This command is executed on the Jenkins controller in perfecto 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller. perfecto 1....
Stored XSS vulnerability in radiatorviewplugin
radiatorviewplugin 1.29 and earlier does not escape the full name of the jobs in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in custom-job-icon
custom-job-icon 0.2 and earlier does not escape the job descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in clearcase-release
clearcase-release 0.3 and earlier does not escape the composite baseline in badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...