Authorization Token stored in plain text by openshift-pipeline

openshift-pipeline 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These token can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...

API Keys stored in plain text by curseforge-publisher

curseforge-publisher 1.0 and earlier stores API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...

Log message injection vulnerability

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output including jenkins.log and equivalent does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to...

Missing permission check in authenticated users' profile menu

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu...

Missing permission check allows obtaining agent names

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget...

HTTP/2 denial of service vulnerability in bundled Jetty

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.523 and earlier, LTS...

Missing permission check in opentelemetry allows capturing credentials

opentelemetry 3.1543.v8446b92bcd64 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturi...

File system information disclosure vulnerability in git-client

git-client 6.3.2 and earlier, except 6.1.4 and 6.2.1, allows specifying the experimental amazon-s3 protocol for use with the bundled JGit library. This protocol authenticates against Amazon S3 based on contents of the file whose path is provided as the authority part of the URL...

SMTP command injection vulnerability in jakarta-mail-api

jakarta-mail-api 2.1.3-2 and earlier bundles versions of Angus Mail vulnerable to https://vulners.com/cve/CVE-2025-7962CVE-2025-7962. This allows attackers able to control recipient email addresses of emails sent by Jenkins to send emails with arbitrary contents to arbitrary recipients...

Missing permission checks in global-build-stats allow enumerating graph IDs

global-build-stats 322.v22f4db18e2dd and earlier does not perform permission checks in its REST API endpoints. This allows attackers with Overall/Read permission to enumerate graph IDs. These IDs can be used to access those graphs. global-build-stats 347.v32aeb0493c4f requires Overall/Administer...

Improper masking of credentials in credentials-binding

credentials-binding 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log. credentials-binding 687.689.v1af775332fc9 rethrows exceptions that contain credentials, masking those credential...

Tokens stored in plain text by ibm-cloud-devops

ibm-cloud-devops 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...

Token stored and displayed in plain text by xooa

xooa 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. Additionally, th...

Passwords stored in plain text by warrior

warrior 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there...

Token stored and displayed in plain text by sensedia-api-platform

sensedia-api-platform 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

Keys stored and displayed in plain text by nouvola-divecloud

nouvola-divecloud 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller fil...

Tokens stored and displayed in plain text by ApicaLoadtest

ApicaLoadtest 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

API Auth keys stored and displayed in plain text by vaddy-plugin

vaddy-plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

Tokens stored and displayed in plain text by deadmanssnitch

deadmanssnitch 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...

Token stored in plain text by user1st-utester

user1st-utester 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file syste...

API key stored in plain text by kryptowire

kryptowire 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. ...

Tokens stored in plain text by aqua-security-scanner

aqua-security-scanner 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...

AWS Secret Key stored and displayed in plain text by statistics-gatherer

statistics-gatherer 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins...

Missing input validation for parameter values in git-parameter

git-parameter implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions. git-parameter 439.vb0e46ca14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices. This allows...

File path information disclosure in htmlpublisher

htmlpublisher 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. htmlpublisher 427 displays only the parent directory name of files...

Credentials stored and displayed in plain text by soapui-pro-functional-testing

soapui-pro-functional-testing 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These credentials can be viewed by users with Item/Extended Read permission or access to the...

Keys stored in plain text by ifttt-build-notifier

ifttt-build-notifier 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication ...

API keys stored and displayed in plain text by qmetry-test-management

qmetry-test-management 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

API keys stored and displayed in plain text by applitools-eyes

applitools-eyes 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

Stored XSS vulnerability in applitools-eyes

applitools-eyes 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. applitools-eyes 1.16.6 rejects Applitools URLs that contain HTML metacharacters...

API keys displayed without masking by testsigma

testsigma stores Testsigma API keys in job config.xml files on the Jenkins controller as part of its configuration. While these API keys are stored encrypted on disk, in testsigma 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to...

XSS vulnerability in gatling

gatling 136.vb9009b3d33ae serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting XSS vulnerability exploitable by users able to change report content. As of publication of this advisor...

Insufficient validation of claims in oidc-provider

In oidc-provider, claim templates can use environment variables for jobs and builds for dynamic content. The default claim template for build ID tokens uses the JOBURL environment variable for the sub Subject claim. In oidc-provider 96.vee8ed882ec4d and earlier the generation of build ID Tokens...

CSRF vulnerability and missing permission checks in vmanager-plugin

vmanager-plugin 4.0.1-286.v9e25a740ba48 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, these form...

SSL/TLS certificate validation unconditionally disabled by dingding-notifications

dingding-notifications 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. As of publication of this advisory, there is no fix. Learn why we announce this...

Stored XSS vulnerability in cloudbees-jenkins-advisor

cloudbees-jenkins-advisor 374.v194bd4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. cloudbees-jenkins-advisor...

Authentication bypass vulnerability in WSO2 Oauth

In WSO2 Oauth 1.0 and earlier authentication claims are accepted without validation by the "WSO2 Oauth" security realm. This allows unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. Sessions...

Host key reuse in SSH build agent Docker images

The https://hub.docker.com/r/jenkins/ssh-agentjenkins/ssh-agent and deprecated https://hub.docker.com/r/jenkins/ssh-slavejenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin. In jenkins/ssh-agent 6.11.1 and earlier and all versions of...

Missing permission check allows retrieving agent configurations

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy an agent, gaining access to its configuration. Jenkins 2.504, LTS 2.492.3 requires...

CSRF vulnerability in simple-queue

simple-queue 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. simple-queue 1.4.7 requires POST requests for the affected HTTP...

Script Security sandbox bypass vulnerability through folder-scoped libraries in templating-engine

templating-engine allows defining libraries both in the global configuration, as well as scoped to folders containing the pipelines using them. While libraries in the global configuration can only be set up by administrators and can therefore be trusted, libraries defined in folders can be...

Missing permission check allows retrieving secrets from agent configurations

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. NOTE: This is due to an...

API keys stored and displayed in plain text by asakusa-satellite-plugin

asakusa-satellite-plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

API keys stored in plain text by stackhammer

stackhammer 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of thi...

Passwords stored in plain text by monitor-remote-job

monitor-remote-job 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there ...

API keys stored in plain text by vmanager-plugin

vmanager-plugin 4.0.0-282.v5096ac2db275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file syste...

API key displayed without masking by zohoqengine

zohoqengine stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in zohoqengine 1.0.29.vfacc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing th...

Stored XSS vulnerability in AnchorChain

AnchorChain 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of...

EdDSA implementation in eddsa-api exhibits signature malleability

eddsa-api makes the EdDSA-Java library ed25519-java available to other plugins. eddsa-api 0.3.0-13.v7cb69ed68f00 and earlier bundles version 0.3.0 of EdDSA-Java, which exhibits signature malleability and does not satisfy the SUF-CMA Strong Existential Unforgeability under Chosen Message Attacks...

Open redirect vulnerability

Various features in Jenkins redirect users to partially user-controlled URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins limits redirections to safe URLs neither absolute nor scheme-relative/network-path reference. In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier,...