1464 matches found
Stored XSS vulnerability in queue item tooltip
Jenkins did not escape the reason a queue item is blocked in tooltips. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the reason a queue item is blocked, for example a label expression that does not match idle executors. Jenkins now escapes the reas...
neuvector-vulnerability-scanner stored credentials in plain text
neuvector-vulnerability-scanner stored registry credentials unencrypted in its global configuration file io.jenkins.plugins.neuvector.NeuVectorBuilder.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system...
inedo-proget showed plain text password in configuration form
inedo-proget stores a service password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
Script sandbox bypass vulnerability in Kubernetes Pipeline - Arquillian Steps Plugin
Kubernetes Pipeline - Arquillian Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...
elOyente stores credentials in plain text
elOyente stores a password unencrypted in its global configuration file com.technicolor.eloyente.ElOyente.xml on the Jenkins controller. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
gem-publisher stores credentials in plain text
gem-publisher stores an API key unencrypted in its global configuration file net.arangamani.jenkins.gempublisher.GemPublisher.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through any of the following: Crafted method names in method call expressions CVE-2019-10393 Crafted property names in property expressions on the left-hand side of assignment expressions CVE-2019-10394 Crafted property names in property...
Stored XSS vulnerability in build-environment
build-environment did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applie...
Stored XSS vulnerability in dashboard-view
dashboard-view did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view. dashboard-view now applies the configured markup formatter to the build...
aqua-serverless showed plain text password in job configuration form fields
aqua-serverless stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and...
beaker-builder stored credentials in plain text
beaker-builder stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. beaker-builder now stores these credentials encrypted...
System command execution vulnerability in git-client
git-client accepts user-specified values as argument to an invocation of git ls-remote to validate the existence of a Git repository at the specified URL. This was implemented in a way that allowed attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins...
Stored XSS vulnerability in update center
Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators. Jenkins now escapes the update site URL in status messages shown...
Sandbox Bypass in splunk-devops
splunk-devops has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming...
CSRF protection tokens for anonymous users did not expire in some circumstances
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the...
ibm-application-security showed plain text password in job configuration form fields
ibm-application-security stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
Stored XSS vulnerability in pegdown-formatter
pegdown-formatter uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting XSS as a feature. pegdown-formatter does not prevent the use of javascript: scheme in URLs for links. This...
CSRF vulnerability and missing permission check in relution-publisher allow SSRF
A missing permission check in a form validation method in relution-publisher allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration. Additionally, the form validation...
Stored XSS vulnerability in build-pipeline-plugin
build-pipeline-plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...
Arbitrary file read vulnerability in filesystem_scm
filesystemscm allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent. As of publication of this advisory, there is no fix...
testlink stores credentials in plain text
testlink stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Google Cloud Messaging Notification stores credentials in plain text
Google Cloud Messaging Notification stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisor...
codefresh globally and unconditionally disables SSL/TLS certificate validation
codefresh unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...
eggplant-plugin stores credentials in plain text
eggplant-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission check in XL TestView allow capturing credentials
XL TestView does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
CSRF vulnerability and missing permission check in jclouds-jenkins allowed capturing credentials
jclouds-jenkins did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
configuration-as-code failed to mask secrets in system log messages
configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. configuration-as-code inspects the type and looks for a field, getter, or constructor argument...
mask-passwords shows plain text passwords in global configuration form fields
mask-passwords allows specifying passwords to be provided to builds in the global Jenkins configuration. While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions,...
Reflected XSS vulnerability in jenkinswalldisplay
jenkinswalldisplay does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...
avatar allows changing other users' avatars
avatar does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user's avatar, in addition to their own. As of publication of this advisory, there is no fix...
Script sandbox bypass vulnerability in Simple Travis Pipeline Runner
Simple Travis Pipeline Runner defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code...
labmanager globally and unconditionally disables SSL/TLS certificate validation
labmanager unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...
Open redirect vulnerability in gitlab-oauth
gitlab-oauth records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in. This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to...
HTTP session fixation vulnerability in gitlab-oauth
gitlab-oauth does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user's pre-login session ID to impersonate them. As of publication of this advisory, there is no fix...
Sandbox bypass through method pointer expressions in script-security
Sandbox protection in script-security could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. Method pointer subexpression...
skytap stored credentials in plain text
skytap stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. skytap now stores credentials encrypted...
configuration-as-code failed to mask secrets in system log messages
configuration-as-code logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. Between configuration-as-code 0.8-alpha and 1.0, log messages contained values if the values were...
configuration-as-code allowed users without Overall/Administer permission to access documentation
configuration-as-code provides a generated schema and reference documentation for the configuration options supported on the current Jenkins instance. These URLs did not perform additional permission checks, resulting in their content being available to users with Overall/Read access. This includ...
configuration-as-code evaluated variable references when importing a previously exported configuration
configuration-as-code allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references e.g. $VARIABLENAME in the configuration YAML file. These will be...
ec2 leaked beginning of private key in system log
ec2 printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key...
google-kubernetes-engine stored temporary secret in a user accessible location
google-kubernetes-engine created a temporary file named .kube…config containing a temporary access token in the project workspace. This allowed the file to be accessed via workspace browsers, or accidentally archived, disclosing the token. This temporary file is now created outside the regular...
maven-plugin did not mask sensitive values in module build logs
maven-plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked. maven-plugin now applies build log decorators from the Build Environment configuration to module builds...
Stored XSS vulnerability in m2release
m2release did not properly escape variables in multiple views, resulting in a stored cross-site scripting vulnerability. Variables on affected views are now escaped...
configuration-as-code did not mask proxy credentials
configuration-as-code provides a custom configurator for the Jenkins proxy configuration. This feature did not mask the password for logging or encrypt it in the export. configuration-as-code 1.20 and newer mask the Jenkins proxy password when logged and only store it encrypted in the export...
configuration-as-code exported secret values in plain text
configuration-as-code allows to export the current Jenkins configuration as a YAML file. Secrets such as passwords should be exported in their encrypted form to prevent accidental disclosure. configuration-as-code did not reliably detect which values in the exported YAML file need to be considere...
Missing permission check in workflow-cps-global-lib
workflow-cps-global-lib provides form validation to determine whether the revision e.g. commit, tag, or branch name specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an...
CSRF vulnerability in m2release
m2release did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases. m2release now requires that these requests be sent via POST...
m2release stored credentials in plain text
m2release stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. m2release now stores credentials encrypte...
Sandbox bypass through type casts in script-security
Sandbox protection in script-security could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren't approved. Additionally, this could be used to read arbitrary files on the Jenkins controller. Casting...
CSRF protection tokens did not expire
By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim's IP address remained unchanged. CSRF tokens will now also check the web session ID to confirm th...