CSRF vulnerability and missing permission check in relution-publisher allow SSRF

A missing permission check in a form validation method in relution-publisher allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration. Additionally, the form validation...

Stored XSS vulnerability in pegdown-formatter

pegdown-formatter uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting XSS as a feature. pegdown-formatter does not prevent the use of javascript: scheme in URLs for links. This...

labmanager globally and unconditionally disables SSL/TLS certificate validation

labmanager unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...

mask-passwords shows plain text passwords in global configuration form fields

mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...

Stored XSS vulnerability in build-pipeline-plugin

build-pipeline-plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...

Arbitrary file read vulnerability in filesystem_scm

filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...

Reflected XSS vulnerability in jenkinswalldisplay

jenkinswalldisplay does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...

CSRF vulnerability and missing permission check in XL TestView allow capturing credentials

XL TestView does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

codefresh globally and unconditionally disables SSL/TLS certificate validation

codefresh unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...

configuration-as-code failed to mask secrets in system log messages

configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. configuration-as-code inspects the type and looks for a field, getter, or constructor argument...

CSRF vulnerability and missing permission check in jclouds-jenkins allowed capturing credentials

jclouds-jenkins did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

Script sandbox bypass vulnerability in Simple Travis Pipeline Runner

Simple Travis Pipeline Runner defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code...

Missing permission check in workflow-cps-global-lib

workflow-cps-global-lib provides form validation to determine whether the revision e.g. commit, tag, or branch name specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an...

maven-plugin did not mask sensitive values in module build logs

maven-plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked. maven-plugin now applies build log decorators from the Build Environment configuration to module builds...

configuration-as-code allowed users without Overall/Administer permission to access documentation

configuration-as-code provides a generated schema and reference documentation for the configuration options supported on the current Jenkins instance. These URLs did not perform additional permission checks, resulting in their content being available to users with Overall/Read access. This includ...

Sandbox bypass through type casts in script-security

Sandbox protection in script-security could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren't approved. Additionally, this could be used to read arbitrary files on the Jenkins controller. Casting...

configuration-as-code did not mask proxy credentials

configuration-as-code provides a custom configurator for the Jenkins proxy configuration. This feature did not mask the password for logging or encrypt it in the export. configuration-as-code 1.20 and newer mask the Jenkins proxy password when logged and only store it encrypted in the export...

configuration-as-code exported secret values in plain text

configuration-as-code allows to export the current Jenkins configuration as a YAML file. Secrets such as passwords should be exported in their encrypted form to prevent accidental disclosure. configuration-as-code did not reliably detect which values in the exported YAML file need to be considere...

Sandbox bypass through method pointer expressions in script-security

Sandbox protection in script-security could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. Method pointer subexpression...

m2release stored credentials in plain text

m2release stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. m2release now stores credentials encrypte...

configuration-as-code failed to mask secrets in system log messages

configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. Between configuration-as-code 0.8-alpha and 1.0, log messages contained values if the values were...

Stored XSS vulnerability in m2release

m2release did not properly escape variables in multiple views, resulting in a stored cross-site scripting vulnerability. Variables on affected views are now escaped...

configuration-as-code evaluated variable references when importing a previously exported configuration

configuration-as-code allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references e.g. $VARIABLENAME in the configuration YAML file. These will be...

ec2 leaked beginning of private key in system log

ec2 printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key...

skytap stored credentials in plain text

skytap stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. skytap now stores credentials encrypted...

CSRF vulnerability in m2release

m2release did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases. m2release now requires that these requests be sent via POST...

google-kubernetes-engine stored temporary secret in a user accessible location

google-kubernetes-engine created a temporary file named .kube…config containing a temporary access token in the project workspace. This allowed the file to be accessed via workspace browsers, or accidentally archived, disclosing the token. This temporary file is now created outside the regular...

CSRF protection tokens did not expire

By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim's IP address remained unchanged. CSRF tokens will now also check the web session ID to confirm th...

Unauthorized view fragment access

Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. In some cases attackers could directly access a view fragment containing sensitive information, bypassing any...

Arbitrary file write vulnerability using file parameter definitions

Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins controller, resulting in an arbitrary file write vulnerability. File parameters...

gogs-webhook stored credentials in plain text

gogs-webhook stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. gogs-webhook now stores credentials encrypted...

mashup-portlets-plugin stored credentials in plain text

mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...

CSRF vulnerability and missing permission check in docker-plugin allowed capturing credentials

docker-plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...

Stored XSS vulnerability in depgraph-view

depgraph-view does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability. As of publication of this advisory, there is no fix...

Reflected XSS vulnerability in embeddable-build-status

embeddable-build-status did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability. Arguments are now sanitized...

Users with Overall/Read access could enumerate credential IDs in docker-plugin

docker-plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of ...

port-allocator stores credentials in plain text

port-allocator stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

caliper-ci stores credentials in plain text

caliper-ci stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

XML External Entity processing vulnerability in token-macro

token-macro did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of files processed with the $XML macro to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction o...

Missing permission checks in electricflow

Various form validation and form autocompletion methods in electricflow lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of electricflow, as well as the configuration and data of connected ElectricFlow servers. These form...

electricflow globally and unconditionally disabled SSL/TLS certificate validation

electricflow unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. electricflow no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific...

XSS vulnerability in electricflow affecting job configuration forms

The configuration forms of various post-build steps contributed by electricflow were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. electricflow no...

CSRF vulnerability and missing permission checks in electricflow allowed SSRF

A missing permission check in a form validation method in electricflow allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST requests,...

XSS vulnerability in build metadata contributed by electricflow

The plugin adds metadata displayed on build pages during its operations. Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and...

CSRF vulnerability and missing permission check in jx-resources

jx-resources did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service...

XML External Entity processing vulnerability in pipeline-maven

pipeline-maven did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of a temporary directory on the agent that the Maven build is executing on to have Jenkins parse a maliciously crafted XML file that...

CSRF vulnerability and missing permission check in artifactory allow capturing credentials

artifactory does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CSRF vulnerability in warnings-ng

warnings-ng did not require that requests sent to the endpoint used to reset warning counts use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to reset warning counts for future builds. warnings-ng now requires that these requests be sent via POST...

Persisted XSS vulnerability in warnings-ng

warnings-ng rendered the name of a custom warnings parser unescaped on Jenkins web pages. This allowed attackers with Job/Configure permission to define a custom parser whose name included HTML and JavaScript, resulting in a persisted cross-site scripting vulnerability. warnings-ng now properly...

Improper handling of untrusted branches in gitea

Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch's Jenkinsfile content is used instead. gite...