Lucene search
K
JenkinsRecent

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/23 12:0 a.m.•8 views

zulip stored credentials in plain text

zulip stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins...

7.8CVSS7.3AI score0.00333EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/23 12:0 a.m.•7 views

Users with Overall/Read access could enumerate credential IDs in kubernetes-ci

kubernetes-ci provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...

6.5CVSS6.4AI score0.00836EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/23 12:0 a.m.•9 views

Users with Overall/Read access could enumerate credential IDs in libvirt-slave

libvirt-slave provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of a...

4.3CVSS5.1AI score0.00678EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/23 12:0 a.m.•6 views

Reflected XSS vulnerability in build-metrics

build-metrics does not properly escape the label query parameter, resulting in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...

6.1CVSS5.8AI score0.57735EPSS
Exploits5Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•11 views

Users with Overall/Read access could enumerate credential IDs in crx-content-package-deployer

crx-content-package-deployer provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be...

4.3CVSS5.1AI score0.00664EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

icescrum stored credentials in plain text

icescrum stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the Jenkins controller file system. icescrum 1.1.5 and newer now stores these credentials encrypted...

8.8CVSS6.2AI score0.01634EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•9 views

cloudtest stores API token in plain text

cloudtest stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

4.3CVSS5.1AI score0.00469EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in crx-content-package-deployer allowed capturing credentials

crx-content-package-deployer did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...

8.8CVSS7AI score0.01034EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•13 views

CSRF vulnerability and missing permission check in icescrum

icescrum did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified access token or username and password. Additionally, the form validatio...

4.3CVSS5AI score0.00665EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

Script sandbox bypass vulnerability in Puppet Enterprise Pipeline

Puppet Enterprise Pipeline defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code...

9.9CVSS9AI score0.0192EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

elasticbox stores access token in plain text

elasticbox stores an access token unencrypted in the global config.xml configuration file on the Jenkins controller. This token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

3.3CVSS4.8AI score0.00241EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•5 views

Arbitrary file read vulnerability in google-oauth-plugin

google-oauth-plugin allowed the creation of credentials based on the content of files on the Jenkins controller through a feature retaining backwards compatibility with earlier plugin releases. This allowed users with the permission to configure jobs and credentials to read arbitrary files on the...

6.5CVSS6.6AI score0.00989EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•9 views

neoload-jenkins-plugin stored credentials in plain text

neoload-jenkins-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the...

8.8CVSS6.2AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

bumblebee unconditionally disabled SSL/TLS certificate validation

bumblebee unconditionally disabled SSL/TLS certificate validation for connections to the HP ALM service. bumblebee no longer does that. Instead, it now allows users to opt out of certificate validation...

6.5CVSS5.8AI score0.00799EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

Missing permission checks in google-kubernetes-engine allowed validating and obtaining data

Missing permission checks in google-kubernetes-engine allowed users with Overall/Read permission to obtain limited information about the scope and access of a credential with an attacker-specified credential ID obtained through another method. google-kubernetes-engine now requires Job/Configure...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•10 views

vmanager-plugin globally and unconditionally disabled SSL/TLS certificate validation

vmanager-plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. vmanager-plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections...

8.2CVSS7.7AI score0.00993EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•9 views

sofy-ai stores API token in plain text

sofy-ai stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

4.3CVSS5.1AI score0.00511EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•9 views

extensivetesting stores credentials in plain text

extensivetesting stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

8.8CVSS7.9AI score0.00897EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•6 views

fortify-on-demand-uploader stores credentials in plain text

fortify-on-demand-uploader stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

8.8CVSS6.3AI score0.00676EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•5 views

view26 stores access token in plain text

view26 stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...

4.3CVSS5.1AI score0.00469EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•9 views

delphix stores credentials in plain text

delphix stores credentials unencrypted in its global configuration file io.jenkins.plugins.delphix.GlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory there is no fix...

7.8CVSS7.3AI score0.0027EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•6 views

CSRF vulnerability and missing permission check in rundeck

rundeck does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method does not...

4.3CVSS5AI score0.00665EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/16 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in oracle-cloud-infrastructure-compute-classic

oracle-cloud-infrastructure-compute-classic does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally,...

4.3CVSS5AI score0.00623EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/01 12:0 a.m.•8 views

Stored XSS vulnerability in htmlpublisher

htmlpublisher did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission. htmlpublish...

5.4CVSS6.5AI score0.01177EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/01 12:0 a.m.•9 views

dingding-notifications stores credentials in plain text

dingding-notifications stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

3.3CVSS5.1AI score0.00409EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/01 12:0 a.m.•9 views

ldapemail shows plain text password in configuration form

ldapemail stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting...

7.5CVSS6.9AI score0.00887EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/01 12:0 a.m.•8 views

vault-scm-plugin shows plain text password in configuration form

vault-scm-plugin stores an SCM password in job configurations. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and simil...

7.5CVSS7AI score0.00887EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/01 12:0 a.m.•7 views

Sandbox bypass vulnerability in script-security

Sandbox protection in script-security could be circumvented through default parameter expressions in constructors. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox...

9.9CVSS8.4AI score0.02698EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•9 views

XSS vulnerability in Jenkins URL setting

Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. Jenkins now prevents values other than HTTP/HTTPS URLs from being set as...

4.8CVSS4.9AI score0.00992EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•9 views

project-inheritance showed secret environment variables defined in Mask Passwords Plugin

Mask Passwords Plugin allows users to define secret environment variables typically passwords to be passed to builds, both globally, and for specific jobs. These environment variables are expected to not be shown. project-inheritance showed the variable values on its Full Build Flow view and...

6.5CVSS6.4AI score0.01186EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

aqua-security-scanner showed plain text password in configuration form

aqua-security-scanner stores a password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...

7.5CVSS7AI score0.00888EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•8 views

git-changelog stored credentials in plain text

git-changelog stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. git-changelog now stores these passwords encrypted. Existing jo...

6.5CVSS5.7AI score0.01038EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•8 views

gitlab-logo stored credentials in plain text

gitlab-logo stored a private token unencrypted in its global configuration file org.jenkinsci.plugins.gitlablogo.GitlabLogoProperty.xml on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. gitlab-logo now stores the token encrypted...

5.5CVSS5.7AI score0.00324EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

violation-comments-to-gitlab stored credentials in plain text

violation-comments-to-gitlab stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or acces...

6.5CVSS5.6AI score0.01068EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•6 views

application-director-plugin stores credentials in plain text

application-director-plugin stores the Application Director password unencrypted in its global configuration file jfullam.vfabric.jenkins.plugin.ApplicationDirectorPostBuildDeployer.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file...

5.5CVSS5.1AI score0.00321EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

assembla stores credentials in plain text

assembla stores the Assembla password unencrypted in its global configuration file jenkins.plugin.assembla.AssemblaProjectProperty.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no...

5.5CVSS5.1AI score0.00348EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•6 views

call-remote-job-plugin stores credentials in plain text

call-remote-job-plugin stores a password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

6.5CVSS5.6AI score0.01001EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•5 views

CodeScan stores credentials in plain text

CodeScan stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

5.5CVSS5.1AI score0.00321EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•9 views

gcal stores credentials in plain text

gcal stores a calendar password unencrypted in job config.xml files on the Jenkins controller. This password can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

6.5CVSS5.6AI score0.01001EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

Stored XSS vulnerability in expandable textbox form control

Jenkins form controls include an expandable textbox that can transform from a single-line text box to a multi-line text area. The implementation of this transformation interpreted the text content of the form field as HTML. This resulted in a cross-site scripting vulnerability exploitable by...

5.4CVSS5.2AI score0.01033EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

Stored XSS vulnerability in SCM tag action tooltip

Jenkins did not escape the tag name on the tooltip for tag actions shown in the build history. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the SCM tag name for these actions. Jenkins now escapes the SCM tag action...

5.4CVSS5.3AI score0.01033EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•6 views

Diagnostic web page exposed Cookie HTTP header

Jenkins shows various technical information about the current user on the /whoAmI URL. The information shown includes HTTP request headers. This allowed attackers able to exploit another cross-site scripting vulnerability to obtain the Cookie header's value even if the HttpOnly flag would prevent...

5.4CVSS5.1AI score0.65753EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•5 views

CSRF vulnerability and missing permission check in project-inheritance

project-inheritance allows the creation of projects based on templates defined in the plugin configuration. A missing permission check in the HTTP endpoint triggering project creation allowed users with Overall/Read permission to create these projects. Additionally, the HTTP endpoint did not...

4.3CVSS5AI score0.00615EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

Stored XSS vulnerability in log-parser

log-parser did not escape an error message shown when log parsing patterns are invalid. This resulted in a persisted cross-site scripting vulnerability exploitable by attackers able to control the log parsing rules configuration, typically users with Job/Configure permission. Jenkins applies the...

5.4CVSS5.4AI score0.00882EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•10 views

aqua-microscanner showed plain text credential in configuration form

aqua-microscanner stores a token credential in its global Jenkins configuration. While the token is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the token through browser extensions, cross-site scripting...

5.3CVSS5.4AI score0.00771EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•8 views

inedo-buildmaster showed plain text password in configuration form

inedo-buildmaster stores a service password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...

7.5CVSS5.5AI score0.00947EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

datatheorem-mobile-app-security stored credentials in plain text

datatheorem-mobile-app-security stored a proxy password unencrypted in job config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. datatheorem-mobile-app-security now stores the proxy passwo...

6.5CVSS5.6AI score0.01001EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•8 views

Script sandbox bypass vulnerability in Kubernetes Pipeline - Kubernetes Steps Plugin

Kubernetes Pipeline - Kubernetes Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...

9.9CVSS9AI score0.01205EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•5 views

azure-event-grid-notifier stores credentials in plain text

azure-event-grid-notifier stores the Azure Event Grid secret key unencrypted in job config.xml files on the Jenkins controller. This key can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

4.3CVSS5AI score0.00812EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

XSS vulnerability in combobox form control

Jenkins interpreted items added to f:combobox form controls as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of f:combobox form controls. Jenkins no longer interprets items added to a combobox as HTML. NOTE ====== This might be a...

5.4CVSS5.2AI score0.01033EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464