1442 matches found
CSRF vulnerability in shared-objects
shared-objects 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to configure shared objects. As of publication of this advisory, there is no fix...
Incorrect default pattern in audit-trail
audit-trail uses regular expressions to match requested URLs whose dispatch should be logged. In audit-trail 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling. audit-trail 3.7 changes...
Stored XSS vulnerability in release
release 2.10.2 and earlier does not escape the release version in the badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Release/Release permission. As of publication of this advisory, there is no fix...
Access token stored in plain text by sms
sms 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration. This access token can be viewed by users with access to the Jenkins controller file system. As of publicatio...
Improper authorization due to caching in role-strategy
role-strategy 2.12 and newer uses a cache to speed up permission lookups. In role-strategy 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no...
Stored XSS vulnerability in uno-choice
uno-choice 2.4 and earlier does not escape the name and description of build parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5 escapes the name of build parameters and applies the configured markup...
Password stored in plain text by couchdb-statistics
couchdb-statistics 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file...
XXE vulnerability in Nerrvana
Nerrvana 1.02.06 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controlle...
CSRF vulnerability in warnings allows remote code execution
warnings 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary code. warnings 5.0.2 requires POST requests f...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Stored XSS vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. liquibase-runner 1.4.7 no longer suppor...
CSRF vulnerability in lockable-resources
lockable-resources 2.8 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to reserve, unreserve, unlock, and reset resources. lockable-resources 2.9 requires POST requests for the...
Missing permission check in implied-labels allows reconfiguring the plugin
implied-labels 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to configure the plugin. implied-labels 0.7 requires Overall/Administer permission to configure the plugin...
XXE vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from t...
Missing permission check in liquibase-runner allows enumerating credentials IDs
liquibase-runner 1.4.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing hostname validation in email-ext
email-ext 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. email-ext 2.76 validates the SMTP hostname when connecting via TLS by default. In...
OS command execution vulnerability in perfecto
perfecto allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations. This command is executed on the Jenkins controller in perfecto 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller. perfecto 1....
Stored XSS vulnerability in radiatorviewplugin
radiatorviewplugin 1.29 and earlier does not escape the full name of the jobs in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in custom-job-icon
custom-job-icon 0.2 and earlier does not escape the job descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in covcomplplot
covcomplplot 1.1.1 and earlier does not escape the method information in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Coverage / Complexity Scatter Plot' post-build step. As of publication of this...
Stored XSS vulnerability in description-column-plugin
description-column-plugin 1.3 and earlier does not escape the job description in the column tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission checks in elastest
elastest 1.2.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Additionally, this form validation method does not require POST...
Passwords stored in plain text by elastest
elastest 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in Copy data to workspace
Copy data to workspace allows users to copy files from the Jenkins controller to job workspaces. Copy data to workspace 1.0 and earlier does not limit which directories can be copied. This allows attackers with Job/Configure permission to read arbitrary files on the Jenkins controller. As of...
Arbitrary file read vulnerability in Storable Configs
Storable Configs 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in upstream cause in pipeline-maven
pipeline-maven 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. pipeline-maven 3.9.3 escapes upstream job names in build causes...
Stored XSS vulnerability in validating-string-parameter
validating-string-parameter 2.4 and earlier does not escape regular expressions in tooltips. Additionally, validating-string-parameter 2.4 does not escape parameter names and parameter descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with...
Incorrect permission check in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. cloudbees-jenkins-advisor 3.2.1 requires Overall/Administer to view its administrative...
Stored XSS vulnerability in computer-queue-plugin
computer-queue-plugin 1.5 and earlier does not escape the agent name in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure permission. computer-queue-plugin 1.6 escapes the agent name in tooltips...
Missing permission check in perfecto
perfecto 1.17 and earlier does not perform a permission check in a method implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. perfecto 1.18 requires Overall/Administer...
Missing hostname validation in mailer
mailer 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. mailer 1.32.1 validates the SMTP hostname when connecting via TLS by default. In...
Path traversal vulnerability in blueocean
blueocean 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GITREADSAVETYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system. blueocean 1.23.3 no longer...
Missing permission check in blueocean
Updated 2020-09-16: This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it. blueocean 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests...
Stored XSS vulnerability in android-lint
android-lint 2.6 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step. As of publication of this advisory, there i...
CSRF vulnerability and missing permission checks in mongodb
mongodb 1.3 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller. Additionally, these form validation methods do not require POST...
Stored XSS vulnerability in chosen-views-tabbar
chosen-views-tabbar 1.2 and earlier does not escape view names in the dropdown to select views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with the ability to configure views. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in clearcase-release
clearcase-release 0.3 and earlier does not escape the composite baseline in badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in locked-files-report
locked-files-report 1.6 and earlier does not escape locked files' names in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
System command execution vulnerability in Selection tasks
Selection tasks implements a job parameter that dynamically generates possible values from the output of a program. The path to that program is specified as part of the parameter configuration. Selection tasks 1.0 and earlier executes this user-specified program on the Jenkins controller. This...
Arbitrary file write vulnerability in Storable Configs
Storable Configs allows storing copies of a job's config.xml file on the Jenkins controller with a user-specified file name. Storable Configs 1.0 and earlier does not restrict the user-specified file name, except that a .xml suffix is added if it's not already present. This allows attackers with...
Stored XSS vulnerability in vmanager-plugin
vmanager-plugin 3.0.4 and earlier does not escape build descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Run/Update permission. vmanager-plugin 3.0.5 removes affected tooltips...
XXE vulnerability in valgrind
valgrind 0.28 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins...
Stored XSS vulnerability in valgrind
valgrind 0.28 and earlier does not escape content in Valgrind XML reports. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control Valgrind XML report contents. As of publication of this advisory, there is no fix...
Passwords stored in plain text by soapui-pro-functional-testing
soapui-pro-functional-testing 1.3 and earlier stores project passwords unencrypted in job config.xml files as part of its configuration. These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins controller file system. soapui-pro-functional-testing...
Credentials stored in plain text by tfs
tfs 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. As of...
Passwords transmitted in plain text by soapui-pro-functional-testing
soapui-pro-functional-testing stores project passwords in job config.xml files on the Jenkins controller as part of its configuration. While these passwords are stored encrypted on disk since soapui-pro-functional-testing 1.4, they are transmitted in plain text as part of the global configuration...
Secret stored in plain text by Parameterized-Remote-Trigger
Parameterized-Remote-Trigger 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to t...
CSRF vulnerability in database
database 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary SQL scripts. database 1.7 removes the database console...
CSRF vulnerability and missing permission checks in database
database 1.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified username and password. Additionally, this form validation...
XSS vulnerability in build-failure-analyzer
build-failure-analyzer 1.27.0 and earlier does not escape matching text in a form validation response. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to provide console output for builds used to test build log indications. build-failure-analyzer 1.27.1...