Lack of SSL/TLS certificate and hostname validation in ec2

ec2 connects to Windows agents via HTTPS. ec2 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates and does not perform hostname validation when connecting to Windows agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connectio...

Missing SSH host key validation in ec2

ec2 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. ec2 1.50.2 provides strategies for performing host key validation for administrators to...

Secrets are not masked by credentials-binding in builds without build steps

credentials-binding 1.22 and earlier does not mask i.e., replace with asterisks secrets in the build log when the build contains no build steps. credentials-binding 1.23 now masks secrets when the build contains no build steps...

Improper permission checks in copyartifact

copyartifact 1.43.1 and earlier performs improper permission checks when determining whether a build can copy artifacts from another project build. This allows attackers, usually with Job/Configure permission, to configure jobs to copy artifacts from jobs they have no permission to access...

CSRF vulnerability in cvs

cvs 2.15 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This allows attackers to create and manipulate tags, and to connect to an attacker-specified URL. cvs 2.16 now requires POST requests for the affected HTTP...

CSRF vulnerability in ec2

ec2 1.50.1 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID. ec2 1.50.2 now requires POST requests for the affected HTTP endpoin...

Credentials stored in plain text by copr

copr 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. copr 0.6.1 stores these credentials encrypted. This change is effective...

XXE vulnerability in parasoft-findings

parasoft-findings implements a static analysis parser for various Parasoft products and integrates with Warnings Plugin 10.4.1 and earlier and Warnings NG Plugin 10.4.2 and newer. parasoft-findings 10.4.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. Th...

RCE vulnerability in yaml-axis

yaml-axis 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to configure a multi-configuration Matrix job, or control the contents of a previously configured job...

RCE vulnerability in aws-sam

aws-sam 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to configure a job or control the contents of a previously configured "AWS SAM deploy application" buil...

Reflected XSS vulnerability in awseb-deployment-plugin

awseb-deployment-plugin 0.3.19 and earlier does not escape various values printed as part of form validation output. This results in a reflected cross-site scripting XSS vulnerability. awseb-deployment-plugin 0.3.20 escapes the values printed as part of the affected form validation endpoints...

XSS vulnerability in usemango-runner

Multiple form validation endpoints in usemango-runner 1.4 and earlier do not escape values received from the useMango service. This results in a cross-site scripting XSS vulnerability exploitable by users able to control the values returned from the useMango service. usemango-runner 1.5 escapes a...

XXE vulnerability in code-coverage-api

code-coverage-api 1.1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of...

Stored XSS vulnerability in fitnesse

fitnesse 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to control the XML input files processed by the plugin. fitnesse 1.33 escapes content from XML input...

XSS vulnerability in gatling

gatling 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting XSS vulnerability exploitable by users able to change report content. gatling 1.3.0 no longer allows...

Stored XSS vulnerability in label expression validation

Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run. In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly...

Stored XSS vulnerability in file parameters

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting XSS vulnerability exploitable by users with permissions to build a job with fi...

Stored XSS vulnerability in list view column headers

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting XSS vulnerability exploitable by users able to control the content of column headers. The following plugins are known to allow users to define...

Passwords transmitted in plain text by artifactory

artifactory stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk since artifactory 3.6.0, it is transmitted in plain text as part of the...

RCE vulnerability in pipeline-aws

pipeline-aws 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to pipeline-aws's build steps. pipeline-aws 1.41 configures its YAML...

RCE vulnerability in openshift-pipeline

openshift-pipeline 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to openshift-pipeline's build step. openshift-pipeline 1.0.57...

RCE vulnerability in azure-acs

azure-acs 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to azure-acs's build step. azure-acs 1.0.2 configures its YAML parser to...

Passwords stored in plain text by Artifactory Plugin

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system. Artifactory Plugin 3.6.0 now stores the...

Reflected XSS vulnerability in queue-cleanup

A form validation HTTP endpoint in queue-cleanup 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability XSS. queue-cleanup 1.4 correctly escapes the query parameter...

XXE vulnerability in rapiddeploy-jenkins

rapiddeploy-jenkins 4.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external...

CSRF protection for any URL could be bypassed

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlie...

Stored XSS vulnerability in rapiddeploy-jenkins

rapiddeploy-jenkins 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure jobs. rapiddeploy-jenkins 4.2.1 escapes package names...

OS command injection in CryptoMove

CryptoMove 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS comman...

CSRF vulnerability and missing permission checks in mac

mac 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials...

Credentials transmitted in plain text by repository-connector

repository-connector stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part ...

Credentials transmitted in plain text by sonar-quality-gates

sonar-quality-gates stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration for...

Credentials transmitted in plain text by backlog

backlog stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by backlog 2.4 and earlier. These credentials could be viewed by users with Extended Read...

Credentials transmitted in plain text by openshift-deployer

openshift-deployer stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration...

Credentials transmitted in plain text by deployhub

deployhub stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by deployhub 8.0.14 and earlier. These credentials could be viewed by users with Extended Rea...

Credentials transmitted in plain text by skytap

skytap stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by skytap 2.07 and earlier. These credentials could be viewed by users with Extended Read...

Stored XSS vulnerability in git

git 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation. This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission. git 4.2.1 escapes the affected part of the error messag...

Stored XSS vulnerability in timestamper

timestamper 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds. This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission. timestamper 1.11.2 sanitizes t...

Arbitrary file write vulnerability in cobertura

cobertura 1.15 and earlier does not validate file paths from the XML file it parses. This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system. cobertura 1.16 sanitizes the file paths to prevent escape from the base directory...

XXE vulnerability in rundeck

rundeck 3.6.6 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or...

XSS vulnerability in Subversion Release Manager

Subversion Release Manager 1.2 and earlier does not escape the error message for the Repository URL field form validation. This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure...

RCE vulnerability in Literate

Literate 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate's build step. As of publication of this advisory, there is no fix...

Sandbox bypass vulnerability in script-security

Sandbox protection in script-security 1.70 and earlier can be circumvented through: Crafted constructor calls and bodies due to an incomplete fix of SECURITY-582 Crafted method calls on objects that implement GroovyInterceptable This allows attackers able to specify and run sandboxed scripts to...

XXE vulnerability in cobertura

cobertura 1.15 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction o...

XSS vulnerability in audit-trail

audit-trail 3.2 and earlier does not escape the error message for the URL Patterns field form validation. This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission...

CSRF vulnerability and missing permission checks in p4

p4 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...

Credentials transmitted in plain text by logstash

logstash stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by...

Credentials stored in plain text by zephyr-enterprise-test-management

zephyr-enterprise-test-management 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system. zephyr-enterprise-test-management...

Missing SSH host key validation in mac

mac 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. mac 1.2.0 validates SSH host keys when connecting to agents...

Credentials transmitted in plain text by quality-gates

quality-gates stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by...

Credentials stored in plain text by zephyr-for-jira-test-management

zephyr-for-jira-test-management 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of...