1442 matches found
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution typically invoked from other plugins li...
XXE vulnerability in nunit
nunit 0.25 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller,...
RCE vulnerability in google-kubernetes-engine
google-kubernetes-engine 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to google-kubernetes-engine's build step...
Stored XSS vulnerability in brakeman
brakeman 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability. This vulnerability can be exploited by users able to control the Brakeman post-build step input data. brakeman 0.13 escape affected values...
RCE vulnerability in radargun
radargun 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure radargun's build step. radargun 1.8 configures its YAML parser to only instantiate safe types...
Password stored in plain text by applatix
applatix 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Users with Overall/Read access can enumerate credential IDs in pipeline-githubnotify-step
pipeline-githubnotify-step 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs...
Client secret transmitted in plain text by azure-ad
azure-ad stores a client secret in its global configuration. While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by azure-ad 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site...
Password stored in plain text by dynamic_extended_choice_parameter
dynamicextendedchoiceparameter 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...
Password stored in plain text by eagle-tester
eagle-tester 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...
Password stored in plain text by environment-manager
environment-manager 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no...
Sandbox bypass via default method parameter expression in workflow-cps
Sandbox protection in workflow-cps 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are...
Stored XSS vulnerability in subversion
subversion 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines...
Multiple stored XSS vulnerabilities in git-parameter
git-parameter 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. git-parameter 0.9.12 escapes the parameter name and default value shown on the UI...
Credential transmitted in plain text by s3
s3 stores a secret key in its global configuration. While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by s3 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting...
CSRF vulnerability and missing permission checks in pipeline-githubnotify-step allows capturing credentials
pipeline-githubnotify-step 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturi...
XXE vulnerability in fitnesse
fitnesse 1.30 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller...
Credentials stored in plain text by debian-package-builder
debian-package-builder 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...
Token stored in plain text by digitalocean-plugin
digitalocean-plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Credential stored in plain text by bmc-rpd
bmc-rpd 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...
Password stored in plain text by catalogic-ecx
catalogic-ecx 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Passwords stored in plain text by harvest
harvest 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission job config.xml only or access to the...
Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 an...
Inbound TCP Agent Protocol/3 authentication bypass
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between controller and agents. While this protocol has been deprecated in 2018 and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS...
Non-constant time comparison of inbound TCP agent connection secret
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret. Jenkins 2.219, LTS...
Non-constant time HMAC comparison
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value. Jenkins 2.219, LTS 2.204.2 now use...
Stored XSS vulnerability in code-coverage-api
code-coverage-api 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. code-coverage-api 1.1.3 escapes the filename of the coverage...
Jenkins vulnerable to UDP amplification reflection attack
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network discovery services UDP multicast/broadcast and DNS multicast by default. The UDP multicast/broadcast service can be used in an amplification reflection attack, as very few bytes sent to the respective endpoint result in much...
Memory usage graphs accessible to anyone with Overall/Read
Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller. Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data...
Jenkins REST APIs vulnerable to clickjacking
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the X-Frame-Options: deny HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an...
fortify stored credentials in plain text
fortify 19.1.29 and earlier stored its proxy server password unencrypted in job config.xml files. This password could be read by users with the Extended Read permission. fortify 19.2.30 now encrypts the proxy server password...
XXE vulnerability in websphere-deployer
websphere-deployer 1.6.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin. As of...
CSRF vulnerability and missing permission checks in ec2
ec2 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. NOTE: This...
redgate-sql-ci stored credentials in plain text
redgate-sql-ci 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system. This is due to an incomplete fix of SECURITY-1598...
CSRF vulnerability and missing permission checks in sounds allow OS command execution
sounds 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins. Additionally, these form validation URLs do not require POST requests, resulting in...
XXE vulnerability in robot
robot 2.0.0 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets fro...
CSRF vulnerability and missing permission checks in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not require POST...
Reflected XSS vulnerability in gitlab-hook
gitlab-hook 1.4.2 and earlier does not escape project names in the buildnow endpoint. This results in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...
XXE vulnerability in m2release
m2release retrieves XML from Nexus repository manager APIs. m2release 0.16.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be...
CSRF vulnerability and missing permission check in build-failure-analyzer allow ReDoS
build-failure-analyzer 1.24.1 and earlier does not perform a permission check in a method performing form validation. This allows users with Overall/Read access to supply a computationally expensive regular expression that will hang the request handling thread. Additionally, this form validation...
CSRF vulnerability and missing permission checks in websphere-deployer
websphere-deployer 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system, and obtain...
SSL/TLS certificate validation globally and unconditionally disabled by websphere-deployer
websphere-deployer 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM, or specify a new Java keystore from a file stored on the Jenkins controller filesystem. As of publication of this advisory, ther...
CSRF vulnerability and missing permission checks in rapiddeploy-jenkins allow SSRF
rapiddeploy-jenkins 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server. Additionally, these form validation methods do not require POST...
CSRF vulnerability and missing permission checks in gerrit-trigger
gerrit-trigger 2.30.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an...
redgate-sql-ci stores credentials in plain text
redgate-sql-ci 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins controller as part of its build step configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. redgate-sql-ci 2.0.4...
CSRF vulnerability and missing permission checks in teamconcert allows capturing credentials
teamconcert 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
CSRF vulnerability in mantis
mantis 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials. As of publication of this advisory...
Stored XSS vulnerability in pipeline-aggregator-view
pipeline-aggregator-view 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names. This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the...
rundeck stored credentials in plain text
rundeck 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission in the case of job config.xml files or acce...
Stored XSS vulnerability in buildgraph-view
buildgraph-view 1.8 and earlier does not escape the description of builds shown in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description. As of publication of this advisory, there is no fix...