1442 matches found
bumblebee unconditionally disabled SSL/TLS certificate validation
bumblebee unconditionally disabled SSL/TLS certificate validation for connections to the HP ALM service. bumblebee no longer does that. Instead, it now allows users to opt out of certificate validation...
ldapemail shows plain text password in configuration form
ldapemail stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting...
vault-scm-plugin shows plain text password in configuration form
vault-scm-plugin stores an SCM password in job configurations. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and simil...
Stored XSS vulnerability in htmlpublisher
htmlpublisher did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission. htmlpublish...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through default parameter expressions in constructors. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox...
dingding-notifications stores credentials in plain text
dingding-notifications stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in expandable textbox form control
Jenkins form controls include an expandable textbox that can transform from a single-line text box to a multi-line text area. The implementation of this transformation interpreted the text content of the form field as HTML. This resulted in a cross-site scripting vulnerability exploitable by...
Diagnostic web page exposed Cookie HTTP header
Jenkins shows various technical information about the current user on the /whoAmI URL. The information shown includes HTTP request headers. This allowed attackers able to exploit another cross-site scripting vulnerability to obtain the Cookie header's value even if the HttpOnly flag would prevent...
CSRF vulnerability and missing permission check in project-inheritance
project-inheritance allows the creation of projects based on templates defined in the plugin configuration. A missing permission check in the HTTP endpoint triggering project creation allowed users with Overall/Read permission to create these projects. Additionally, the HTTP endpoint did not...
aqua-microscanner showed plain text credential in configuration form
aqua-microscanner stores a token credential in its global Jenkins configuration. While the token is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the token through browser extensions, cross-site scripting...
gitlab-logo stored credentials in plain text
gitlab-logo stored a private token unencrypted in its global configuration file org.jenkinsci.plugins.gitlablogo.GitlabLogoProperty.xml on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. gitlab-logo now stores the token encrypted...
violation-comments-to-gitlab stored credentials in plain text
violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...
Stored XSS vulnerability in queue item tooltip
Jenkins did not escape the reason a queue item is blocked in tooltips. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the reason a queue item is blocked, for example a label expression that does not match idle executors. Jenkins now escapes the reas...
XSS vulnerability in Jenkins URL setting
Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. Jenkins now prevents values other than HTTP/HTTPS URLs from being set as...
Stored XSS vulnerability in log-parser
log-parser did not escape an error message shown when log parsing patterns are invalid. This resulted in a persisted cross-site scripting vulnerability exploitable by attackers able to control the log parsing rules configuration, typically users with Job/Configure permission. Jenkins applies the...
git-changelog stored credentials in plain text
git-changelog stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. git-changelog now stores these passwords encrypted. Existing jo...
XSS vulnerability in combobox form control
Jenkins interpreted items added to f:combobox form controls as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of f:combobox form controls. Jenkins no longer interprets items added to a combobox as HTML. NOTE ====== This might be a...
Stored XSS vulnerability in SCM tag action tooltip
Jenkins did not escape the tag name on the tooltip for tag actions shown in the build history. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the SCM tag name for these actions. Jenkins now escapes the SCM tag action...
project-inheritance showed secret environment variables defined in Mask Passwords Plugin
Mask Passwords Plugin allows users to define secret environment variables typically passwords to be passed to builds, both globally, and for specific jobs. These environment variables are expected to not be shown. project-inheritance showed the variable values on its Full Build Flow view and...
neuvector-vulnerability-scanner stored credentials in plain text
neuvector-vulnerability-scanner stored registry credentials unencrypted in its global configuration file io.jenkins.plugins.neuvector.NeuVectorBuilder.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system...
aqua-security-scanner showed plain text password in configuration form
aqua-security-scanner stores a password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
inedo-buildmaster showed plain text password in configuration form
inedo-buildmaster stores a service password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
inedo-proget showed plain text password in configuration form
inedo-proget stores a service password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
datatheorem-mobile-app-security stored credentials in plain text
datatheorem-mobile-app-security stored a proxy password unencrypted in job config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. datatheorem-mobile-app-security now stores the proxy passwo...
Script sandbox bypass vulnerability in Kubernetes Pipeline - Kubernetes Steps Plugin
Kubernetes Pipeline - Kubernetes Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...
Script sandbox bypass vulnerability in Kubernetes Pipeline - Arquillian Steps Plugin
Kubernetes Pipeline - Arquillian Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...
application-director-plugin stores credentials in plain text
application-director-plugin stores the Application Director password unencrypted in its global configuration file jfullam.vfabric.jenkins.plugin.ApplicationDirectorPostBuildDeployer.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file...
call-remote-job-plugin stores credentials in plain text
call-remote-job-plugin stores a password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
elOyente stores credentials in plain text
elOyente stores a password unencrypted in its global configuration file com.technicolor.eloyente.ElOyente.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
gem-publisher stores credentials in plain text
gem-publisher stores an API key unencrypted in its global configuration file net.arangamani.jenkins.gempublisher.GemPublisher.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
assembla stores credentials in plain text
assembla stores the Assembla password unencrypted in its global configuration file jenkins.plugin.assembla.AssemblaProjectProperty.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no...
azure-event-grid-notifier stores credentials in plain text
azure-event-grid-notifier stores the Azure Event Grid secret key unencrypted in job config.xml files on the Jenkins controller. This key can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
CodeScan stores credentials in plain text
CodeScan stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
gcal stores credentials in plain text
gcal stores a calendar password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through any of the following: Crafted method names in method call expressions CVE-2019-10393 Crafted property names in property expressions on the left-hand side of assignment expressions CVE-2019-10394 Crafted property names in property...
Stored XSS vulnerability in dashboard-view
dashboard-view did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view. dashboard-view now applies the configured markup formatter to the build...
beaker-builder stored credentials in plain text
beaker-builder stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. beaker-builder now stores these credentials encrypted...
System command execution vulnerability in git-client
git-client accepts user-specified values as argument to an invocation of git ls-remote to validate the existence of a Git repository at the specified URL. This was implemented in a way that allowed attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins...
Stored XSS vulnerability in build-environment
build-environment did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applie...
aqua-serverless showed plain text password in job configuration form fields
aqua-serverless stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and...
Sandbox Bypass in splunk-devops
splunk-devops has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming...
CSRF protection tokens for anonymous users did not expire in some circumstances
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the...
Stored XSS vulnerability in update center
Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators. Jenkins now escapes the update site URL in status messages shown...
ibm-application-security showed plain text password in job configuration form fields
ibm-application-security stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
mask-passwords shows plain text passwords in global configuration form fields
mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...
Stored XSS vulnerability in pegdown-formatter
pegdown-formatter uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting XSS as a feature. pegdown-formatter does not prevent the use of javascript: scheme in URLs for links. This...
Google Cloud Messaging Notification stores credentials in plain text
Google Cloud Messaging Notification stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisor...
Script sandbox bypass vulnerability in Simple Travis Pipeline Runner
Simple Travis Pipeline Runner defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code...
codefresh globally and unconditionally disables SSL/TLS certificate validation
codefresh unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...
eggplant-plugin stores credentials in plain text
eggplant-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...