SSL/TLS certificate validation globally and unconditionally disabled by inflectra-spira-integration

inflectra-spira-integration 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. inflectra-spira-integration 3.2.4 no longer disables SSL/TLS certificate validation...

Stored XSS vulnerability in buildgraph-view

buildgraph-view 1.8 and earlier does not escape the description of builds shown in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description. As of publication of this advisory, there is no fix...

Users with Overall/Read access can enumerate credential IDs in teamconcert

teamconcert 1.3.0 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be...

weibo stores credentials in plain text

weibo 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is ...

CSRF vulnerability and missing permission checks in alauda-devops-pipeline allows capturing credentials

alauda-devops-pipeline 2.3.2 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained...

SSL/TLS certificate validation globally and unconditionally disabled by websphere-deployer

websphere-deployer 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM, or specify a new Java keystore from a file stored on the Jenkins controller filesystem. As of publication of this advisory, ther...

Stored XSS vulnerability in mission-control-view

mission-control-view 0.9.16 and earlier does not escape job display names and build names in the view it provides. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change these properties. As of publication of this advisory, there is no fix...

qmetry-for-jira-test-management shows plain text password in configuration form

qmetry-for-jira-test-management stores a credential as part of its post-build step configuration. While the password is stored encrypted on disk since qmetry-for-jira-test-management 1.13, it is transmitted in plain text as part of the configuration form. This can result in exposure of the passwo...

anchore-container-scanner stored credentials in plain text

anchore-container-scanner stored an Anchore.io service password unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system. As the affected functionality has been...

Sandbox bypass vulnerability in script-security

Sandbox protection in script-security could be circumvented through closure default parameter expressions. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox protecti...

support-core allowed users with Overall/Read permission to delete arbitrary files

support-core did not validate the paths submitted for the "Delete Support Bundles" feature. This allowed users to delete arbitrary files on the Jenkins controller file system accessible to the OS user account running Jenkins. Additionally, this endpoint did not perform a permission check, allowin...

Folder-scoped Jira sites in jira were able to access System-scoped credentials

jira allows the definition of per-folder Jira sites. The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder t...

CSRF vulnerability in google-compute-engine allowed provisioning agents

google-compute-engine did not require POST requests on an API endpoint. This CSRF vulnerability allowed attackers to provision new agents. google-compute-engine now requires POST requests for this API endpoint...

qmetry-for-jira-test-management stored credentials in plain text

qmetry-for-jira-test-management stored credentials unencrypted in job config.xml files on the Jenkins controller as part of its post-build step configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system...

inflectra-spira-integration stored credentials in plain text

inflectra-spira-integration stored a credential unencrypted in its global configuration file com.inflectra.spiratest.plugins.SpiraBuilder.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system. inflectra-spira-integration now stor...

google-compute-engine did not verify SSH host keys

google-compute-engine did not use SSH host key verification when connecting to VMs launched by the plugin. This lack of verification could be abused by a MitM attacker to intercept these connections to attacker-specified build agents without warning. google-compute-engine now verifies SSH host ke...

google-compute-engine disclosed environment information to users with Overall/Read permission

google-compute-engine did not verify permissions on multiple auto-complete API endpoints. This allowed users with Overall/Read permissions to view various metadata about the running cloud environment. google-compute-engine now requires the appropriate Job/Configure permission to view these metada...

CSRF vulnerability in dynatrace-dashboard

dynatrace-dashboard did not require POST requests on a method implementing form validation. This CSRF vulnerability allowed attackers to initiate a connection test to an attacker-specified server with attacker-specified username and password. dynatrace-dashboard now requires POST requests for thi...

Missing permission check in dynatrace-dashboard

dynatrace-dashboard does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password. As of publication of this advisory,...

sonar-gerrit stored credentials in plain text

sonar-gerrit stores a credential unencrypted in job config.xml files on the Jenkins controller if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...

Users with Overall/Read access could enumerate credential IDs in libvirt-slave

libvirt-slave provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...

Missing permission check in global-post-script allowed obtaining configuration data

global-post-script does not perform permission checks on a method implementing form validation. This allows users with Overall/Read permission to list the files contained in $JENKINSHOME/global-post-script that can be used by the plugin. As of publication of this advisory, there is no fix...

mattermost stored webhook endpoint token in plain text

Mattermost allows the definition of incoming from the perspective of the service webhook URLs. These contain what is effectively a secret token as part of the URL. mattermost stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and j...

bitbucket-oauth stored credentials in plain text

bitbucket-oauth stored a credential unencrypted in the global config.xml configuration file on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system. bitbucket-oauth now stores this credential encrypted...

CSRF vulnerability and missing permission check in weblogic-deployer-plugin

weblogic-deployer-plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL, or confirm the existence of any file or directory on the Jenkins controller...

XXE vulnerability in fireline

fireline accepts XML for part of its configuration. It does not configure the XML parser to prevent XML external entity XXE attacks. A form validation method that accepts XML does not perform permission checks. This allows users with Overall/Read permission to have Jenkins parse a crafted XML fil...

CSRF vulnerability and missing permission checks in kubernetes-ci allowed capturing credentials

kubernetes-ci does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...

CSRF vulnerability and missing permission checks in libvirt-slave allowed capturing credentials

libvirt-slave does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

zulip stored credentials in plain text

zulip stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins...

dynatrace-dashboard stored credentials in plain text

dynatrace-dashboard stored a credential unencrypted in its global configuration file com.dynatrace.jenkins.dashboard.TAGlobalConfiguration.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system. dynatrace-dashboard now stores this...

Users with Overall/Read access could enumerate credential IDs in kubernetes-ci

kubernetes-ci provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...

Reflected XSS vulnerability in build-metrics

build-metrics does not properly escape the label query parameter, resulting in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...

neoload-jenkins-plugin stored credentials in plain text

neoload-jenkins-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the...

bumblebee unconditionally disabled SSL/TLS certificate validation

bumblebee unconditionally disabled SSL/TLS certificate validation for connections to the HP ALM service. bumblebee no longer does that. Instead, it now allows users to opt out of certificate validation...

elasticbox stores access token in plain text

elasticbox stores an access token unencrypted in the global config.xml configuration file on the Jenkins controller. This token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

CSRF vulnerability and missing permission check in rundeck

rundeck does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method does not...

CSRF vulnerability and missing permission check in oracle-cloud-infrastructure-compute-classic

oracle-cloud-infrastructure-compute-classic does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally,...

CSRF vulnerability and missing permission check in icescrum

icescrum did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified access token or username and password. Additionally, the form validatio...

Missing permission checks in google-kubernetes-engine allowed validating and obtaining data

Missing permission checks in google-kubernetes-engine allowed users with Overall/Read permission to obtain limited information about the scope and access of a credential with an attacker-specified credential ID obtained through another method. google-kubernetes-engine now requires Job/Configure...

vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation

vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...

Script sandbox bypass vulnerability in Puppet Enterprise Pipeline

Puppet Enterprise Pipeline defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code...

sofy-ai stores API token in plain text

sofy-ai stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

cloudtest stores API token in plain text

cloudtest stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

delphix stores credentials in plain text

delphix stores credentials unencrypted in its global configuration file io.jenkins.plugins.delphix.GlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

Arbitrary file read vulnerability in google-oauth-plugin

google-oauth-plugin allowed the creation of credentials based on the content of files on the Jenkins controller through a feature retaining backwards compatibility with earlier plugin releases. This allowed users with the permission to configure jobs and credentials to read arbitrary files on the...

CSRF vulnerability and missing permission check in crx-content-package-deployer allowed capturing credentials

crx-content-package-deployer did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...

Users with Overall/Read access could enumerate credential IDs in crx-content-package-deployer

crx-content-package-deployer provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be...

icescrum stored credentials in plain text

icescrum stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the Jenkins controller file system. icescrum 1.1.5 and newer now stores these credentials encrypted...

extensivetesting stores credentials in plain text

extensivetesting stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

fortify-on-demand-uploader stores credentials in plain text

fortify-on-demand-uploader stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...