XXE vulnerability in klocwork

klocwork 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins...

Reflected XSS vulnerability in JSGames

JSGames 0.2 and earlier evaluates part of a URL as code. This results in a reflected cross-site scripting XSS vulnerability. As of publication of this advisory, there is no fix...

Stored XSS vulnerability in git-parameter

git-parameter 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. git-parameter 0.9.13 escapes the repository field on the 'Build with...

Buffer corruption in bundled Jetty

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.224 through 2.242 and LT...

Missing permission check in pipeline-maven allows enumerating credentials IDs

pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

CSRF vulnerability and missing permission check in pipeline-maven allow capturing credentials

pipeline-maven 3.8.2 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially...

Stored XSS vulnerability in help icons

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting XSS vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the...

Stored XSS vulnerability in project naming strategy

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Overall/Manage permission. Jenkins 2.252, LTS 2.235.4 escapes th...

SMTP password transmitted and displayed in plain text by email-ext

email-ext stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration...

CSRF vulnerability in flaky-test-handler

flaky-test-handler 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing. As of publicati...

Stored XSS vulnerability in 'Trigger builds remotely'

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication...

Stored XSS vulnerability in yet-another-build-visualizer

yet-another-build-visualizer 1.11 and earlier does not escape tooltip content. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Run/Update permission. yet-another-build-visualizer 1.12 escapes tooltip content...

Stored XSS vulnerability in upstream cause

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the job display...

Stored XSS vulnerability in multiple axis builds tooltips in matrix-project

matrix-project 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. matrix-project 1.17 escapes the axis names shown ...

Stored XSS vulnerability in matrix-auth

matrix-auth 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting XSS vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission,...

Stored XSS vulnerability in job build time trend

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the agent name...

Stored XSS vulnerability in 'keep forever' badge icons

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure job names. As job names do not generally support the character set...

Improper authorization of users and groups with the same base name in gitlab-oauth

gitlab-oauth 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group. gitlab-oauth 1.6 performs user name and...

Stored XSS vulnerability in console links

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2...

Stored XSS vulnerability in single axis builds tooltips in matrix-project

matrix-project 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. matrix-project 1.17 escapes the node names shown in...

Stored XSS vulnerability in deployer-framework

deployer-framework is a framework plugin allowing other plugins to provide a way to deploy artifacts. deployer-framework 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to provide t...

Stored XSS vulnerability in sonargraph-integration

sonargraph-integration 3.0.0 and earlier does not escape the file path for the Log file field form validation. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Job/Configure permission. sonargraph-integration 3.0.1 escapes the affected part of th...

CSRF vulnerability and missing permission checks in fortify-on-demand-uploader

fortify-on-demand-uploader 5.0.1 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs obtained throug...

Reflected XSS vulnerability in vncviewer

vncviewer 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output. This results in a reflected cross-site scripting XSS vulnerability. vncviewer 1.8 escapes the parameter value in the output...

Passwords transmitted in plain text by StashBranchParameter

StashBranchParameter stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk, it is transmitted in plain text as...

Secret stored in plain text by github-coverage-reporter

github-coverage-reporter 1.8 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml. This token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no...

Credentials stored in plain text by whitesource

whitesource 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission in the...

Content-Security-Policy protection for user content disabled by ZAP Pipeline

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts. ZAP Pipeline 1.9 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins. Th...

Password stored in plain text by hp-quality-center

hp-quality-center 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no...

Users with Overall/Read access could enumerate credentials IDs in fortify-on-demand-uploader

fortify-on-demand-uploader provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions in fortify-on-demand-uploader 6.0.0 and earlier, allowing any user with Overall/Read permission to get a...

Stored XSS vulnerability in vncrecorder

vncrecorder 1.25 and earlier does not escape a tool path in the checkVncServ form validation endpoint accessed e.g. via job configuration forms. This results in a stored cross-site scripting XSS vulnerability exploitable by Jenkins administrators. vncrecorder 1.35 escapes the tool path...

Reflected XSS vulnerability in vncrecorder

vncrecorder 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output. This results in a reflected cross-site scripting XSS vulnerability. vncrecorder 1.35 escapes the parameter value in the output...

Reflected XSS in compatibility-action-storage

compatibility-action-storage 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint. This allows attackers able to update the configured document in MongoDB to inject the payload. This results in a reflected cross-site scripting XSS...

Secret stored in plain text by slack-uploader

slack-uploader 1.7 and earlier stores a secret unencrypted in job config.xml files as part of its configuration. This secret can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

Password stored in plain text by TestComplete

TestComplete 2.4.1 and earlier stores a password unencrypted in job config.xml files as part of its configuration. This password can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD

ElasticBox Jenkins Kubernetes CI/CD 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to ElasticBox Jenkins Kubernetes CI/CD's build...

CSRF vulnerability and missing permission checks in zephyr-for-jira-test-management

zephyr-for-jira-test-management 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified host using attacker-specified username and password. Additionally, this form...

Stored XSS vulnerability in link-column

link-column allows users with View/Configure permission to add a new column to list views that contains a user-configurable link. link-column 1.0 and earlier does not filter the URL for these links, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability...

Stored XSS vulnerability in echarts-api

echarts-api 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Run/Update permission. echarts-api 4.7.0-4 escapes the display name...

Stored XSS vulnerability in compact-columns

compact-columns 1.11 and earlier displays the unprocessed job description in tooltips. This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission. compact-columns 1.12 applies the configured markup formatter to the job description show...

Complete lack of CSRF protection in selenium can lead to OS command injection

selenium 3.141.59 and earlier has no CSRF protection for its HTTP endpoints. This allows attackers to perform the following actions: Restart the Selenium Grid hub. Delete or replace the plugin configuration. Start, stop, or restart Selenium configurations on specific nodes. Through carefully chos...

Missing permission check in project-inheritance

Jenkins limits access to job configuration XML data config.xml to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. project-inheritance has several job inspection features, including the API URL /job/.../getConfigAsXML for its Inheritance Project job type that...

XSS vulnerability in svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier does not escape the error message for the repository URL field form validation. This results in a reflected cross-site scripting XSS vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configur...

OS command injection vulnerability in Play Framework

A form validation endpoint in Play Framework executes the play command to validate a given input file. Play Framework 1.0.2 and earlier lets users specify the path to the play command on the Jenkins controller. This results in an OS command injection vulnerability exploitable by users able to sto...

CSRF vulnerability and improper permission checks in swarm

swarm adds API endpoints to add or remove agent labels. In swarm 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent. Additionally, these API endpoints d...

Stored XSS vulnerability in script-security

script-security 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure sandboxed scripts. script-security 1.73 escapes pending a...

Stored XSS vulnerability in echarts-api

echarts-api 4.7.0-3 and earlier does not escape the parser identifier when rendering charts. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Job/Configure permission. echarts-api 4.7.0-4 escapes the parser identifier...

Users with Overall/Read access can enumerate credentials IDs in ec2

ec2 provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions in ec2 1.50.1 and earlier, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be...

RCE vulnerability in scm-filter-jervis

scm-filter-jervis 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to configure jobs with the filter, or control the contents of a previously configured job's S...

Improper masking of some secrets in credentials-binding

credentials-binding allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is passed to...