Lucene search
K
JenkinsRecent

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•11 views

Incorrect permission check in cloudbees-jenkins-advisor

cloudbees-jenkins-advisor 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. cloudbees-jenkins-advisor 3.2.1 requires Overall/Administer to view its administrative...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•9 views

OS command execution vulnerability in perfecto

perfecto allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations. This command is executed on the Jenkins controller in perfecto 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller. perfecto 1....

8.8CVSS8.2AI score0.01357EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•8 views

Stored XSS vulnerability in android-lint

android-lint 2.6 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step. As of publication of this advisory, there i...

8CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•7 views

Stored XSS vulnerability in covcomplplot

covcomplplot 1.1.1 and earlier does not escape the method information in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Coverage / Complexity Scatter Plot' post-build step. As of publication of this...

8CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•7 views

Arbitrary file read vulnerability in Storable Configs

Storable Configs 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller. As of publication of this advisory, there is no fix...

6.5CVSS6.6AI score0.01657EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•8 views

Missing permission check in perfecto

perfecto 1.17 and earlier does not perform a permission check in a method implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. perfecto 1.18 requires Overall/Administer...

4.3CVSS5.1AI score0.00656EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•7 views

Stored XSS vulnerability in locked-files-report

locked-files-report 1.6 and earlier does not escape locked files' names in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...

8CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•8 views

CSRF vulnerability and missing permission checks in elastest

elastest 1.2.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Additionally, this form validation method does not require POST...

4.3CVSS4.9AI score0.00679EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•8 views

Arbitrary file read vulnerability in Copy data to workspace

Copy data to workspace allows users to copy files from the Jenkins controller to job workspaces. Copy data to workspace 1.0 and earlier does not limit which directories can be copied. This allows attackers with Job/Configure permission to read arbitrary files on the Jenkins controller. As of...

6.5CVSS6.6AI score0.01704EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•7 views

Stored XSS vulnerability in custom-job-icon

custom-job-icon 0.2 and earlier does not escape the job descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...

8CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•6 views

Stored XSS vulnerability in description-column-plugin

description-column-plugin 1.3 and earlier does not escape the job description in the column tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...

8CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/16 12:0 a.m.•6 views

Missing permission check in blueocean

Updated 2020-09-16: This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it. blueocean 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests...

4.3CVSS4.8AI score0.00849EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•6 views

Stored XSS vulnerability in valgrind

valgrind 0.28 and earlier does not escape content in Valgrind XML reports. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control Valgrind XML report contents. As of publication of this advisory, there is no fix...

8CVSS5.3AI score0.00753EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•13 views

XXE vulnerability in klocwork

klocwork 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins...

7.1CVSS6.6AI score0.00818EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•8 views

Credentials stored in plain text by tfs

tfs 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. As of...

3.3CVSS4.8AI score0.00257EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•6 views

Passwords stored in plain text by soapui-pro-functional-testing

soapui-pro-functional-testing 1.3 and earlier stores project passwords unencrypted in job config.xml files as part of its configuration. These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins controller file system. soapui-pro-functional-testing...

6.5CVSS6.4AI score0.00626EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•6 views

Passwords transmitted in plain text by soapui-pro-functional-testing

soapui-pro-functional-testing stores project passwords in job config.xml files on the Jenkins controller as part of its configuration. While these passwords are stored encrypted on disk since soapui-pro-functional-testing 1.4, they are transmitted in plain text as part of the global configuration...

4.3CVSS5.1AI score0.00514EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•9 views

Stored XSS vulnerability in vmanager-plugin

vmanager-plugin 3.0.4 and earlier does not escape build descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Run/Update permission. vmanager-plugin 3.0.5 removes affected tooltips...

8CVSS5.3AI score0.00753EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•8 views

CSRF vulnerability in database

database 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary SQL scripts. database 1.7 removes the database console...

8.8CVSS8.5AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•7 views

Secret stored in plain text by Parameterized-Remote-Trigger

Parameterized-Remote-Trigger 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to t...

4.3CVSS5.1AI score0.00524EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•6 views

XSS vulnerability in build-failure-analyzer

build-failure-analyzer 1.27.0 and earlier does not escape matching text in a form validation response. This results in a cross-site scripting XSS vulnerability exploitable by attackers able to provide console output for builds used to test build log indications. build-failure-analyzer 1.27.1...

8CVSS5.3AI score0.00753EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•7 views

CSRF vulnerability and missing permission checks in database

database 1.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified username and password. Additionally, this form validation...

8.8CVSS6.9AI score0.00715EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•6 views

Stored XSS vulnerability in git-parameter

git-parameter 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. git-parameter 0.9.13 escapes the repository field on the 'Build with...

8CVSS5.4AI score0.00753EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•6 views

Reflected XSS vulnerability in JSGames

JSGames 0.2 and earlier evaluates part of a URL as code. This results in a reflected cross-site scripting XSS vulnerability. As of publication of this advisory, there is no fix...

8.8CVSS5.8AI score0.00871EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/09/01 12:0 a.m.•10 views

XXE vulnerability in valgrind

valgrind 0.28 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins...

7.1CVSS7.2AI score0.00877EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/17 12:0 a.m.•6 views

Buffer corruption in bundled Jetty

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.224 through 2.242 and LT...

9.4CVSS8.4AI score0.11138EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•8 views

CSRF vulnerability in flaky-test-handler

flaky-test-handler 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing. As of publicati...

4.3CVSS4.9AI score0.00679EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•8 views

Stored XSS vulnerability in yet-another-build-visualizer

yet-another-build-visualizer 1.11 and earlier does not escape tooltip content. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Run/Update permission. yet-another-build-visualizer 1.12 escapes tooltip content...

8CVSS6.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•8 views

Stored XSS vulnerability in project naming strategy

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Overall/Manage permission. Jenkins 2.252, LTS 2.235.4 escapes th...

8CVSS5.9AI score0.83053EPSS
Exploits3Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•11 views

Missing permission check in pipeline-maven allows enumerating credentials IDs

pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

6.5CVSS5.6AI score0.00836EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•8 views

Stored XSS vulnerability in 'Trigger builds remotely'

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication...

8CVSS5.3AI score0.05298EPSS
Exploits3Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•18 views

CSRF vulnerability and missing permission check in pipeline-maven allow capturing credentials

pipeline-maven 3.8.2 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially...

7.1CVSS6.5AI score0.01056EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•8 views

Stored XSS vulnerability in help icons

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting XSS vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the...

8CVSS5.9AI score0.06765EPSS
Exploits3Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/08/12 12:0 a.m.•7 views

SMTP password transmitted and displayed in plain text by email-ext

email-ext stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration...

7.5CVSS7.3AI score0.00755EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•7 views

Stored XSS vulnerability in single axis builds tooltips in matrix-project

matrix-project 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. matrix-project 1.17 escapes the node names shown in...

8CVSS5.8AI score0.00919EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•7 views

Improper authorization of users and groups with the same base name in gitlab-oauth

gitlab-oauth 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group. gitlab-oauth 1.6 performs user name and...

8.8CVSS8AI score0.01433EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•7 views

Stored XSS vulnerability in job build time trend

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the agent name...

8CVSS5.3AI score0.01023EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•6 views

Stored XSS vulnerability in multiple axis builds tooltips in matrix-project

matrix-project 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. matrix-project 1.17 escapes the axis names shown ...

8CVSS5.8AI score0.01041EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•8 views

Stored XSS vulnerability in deployer-framework

deployer-framework is a framework plugin allowing other plugins to provide a way to deploy artifacts. deployer-framework 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to provide t...

8CVSS5.3AI score0.00688EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•6 views

Stored XSS vulnerability in console links

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2...

8CVSS5.3AI score0.01032EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•6 views

Stored XSS vulnerability in 'keep forever' badge icons

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure job names. As job names do not generally support the character set...

8CVSS5.2AI score0.01126EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•6 views

Stored XSS vulnerability in matrix-auth

matrix-auth 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting XSS vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission,...

8CVSS5.7AI score0.00919EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/15 12:0 a.m.•6 views

Stored XSS vulnerability in upstream cause

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the job display...

8CVSS5.3AI score0.01077EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•8 views

CSRF vulnerability and missing permission checks in zephyr-for-jira-test-management

zephyr-for-jira-test-management 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified host using attacker-specified username and password. Additionally, this form...

4.3CVSS4.9AI score0.00679EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•13 views

Stored XSS vulnerability in link-column

link-column allows users with View/Configure permission to add a new column to list views that contains a user-configurable link. link-column 1.0 and earlier does not filter the URL for these links, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability...

6.4CVSS5.4AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•36 views

Credentials stored in plain text by whitesource

whitesource 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission in the...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•9 views

Content-Security-Policy protection for user content disabled by ZAP Pipeline

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts. ZAP Pipeline 1.9 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins. Th...

5.4CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•6 views

Reflected XSS in compatibility-action-storage

compatibility-action-storage 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint. This allows attackers able to update the configured document in MongoDB to inject the payload. This results in a reflected cross-site scripting XSS...

6.1CVSS5.8AI score0.00699EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•7 views

Password stored in plain text by hp-quality-center

hp-quality-center 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no...

3.3CVSS4.8AI score0.00306EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2020/07/02 12:0 a.m.•8 views

Users with Overall/Read access could enumerate credentials IDs in fortify-on-demand-uploader

fortify-on-demand-uploader provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions in fortify-on-demand-uploader 6.0.0 and earlier, allowing any user with Overall/Read permission to get a...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464