1464 matches found
CSRF protection tokens did not expire
By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim's IP address remained unchanged. CSRF tokens will now also check the web session ID to confirm th...
Unauthorized view fragment access
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. In some cases attackers could directly access a view fragment containing sensitive information, bypassing any...
CSRF vulnerability and missing permission check in docker-plugin allowed capturing credentials
docker-plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
Users with Overall/Read access could enumerate credential IDs in docker-plugin
docker-plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of ...
gogs-webhook stored credentials in plain text
gogs-webhook stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. gogs-webhook now stores credentials encrypted...
Reflected XSS vulnerability in embeddable-build-status
embeddable-build-status did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability. Arguments are now sanitized...
mashup-portlets-plugin stored credentials in plain text
mashup-portlets-plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. mashup-portlets-plugin now stores these credentials encrypted...
Stored XSS vulnerability in depgraph-view
depgraph-view does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability. As of publication of this advisory, there is no fix...
port-allocator stores credentials in plain text
port-allocator stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
caliper-ci stores credentials in plain text
caliper-ci stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
XSS vulnerability in build metadata contributed by electricflow
The plugin adds metadata displayed on build pages during its operations. Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and...
CSRF vulnerability and missing permission check in jx-resources
jx-resources did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service...
Missing permission checks in electricflow
Various form validation and form autocompletion methods in electricflow lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of electricflow, as well as the configuration and data of connected ElectricFlow servers. These form...
electricflow globally and unconditionally disabled SSL/TLS certificate validation
electricflow unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. electricflow no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific...
XSS vulnerability in electricflow affecting job configuration forms
The configuration forms of various post-build steps contributed by electricflow were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. electricflow no...
XML External Entity processing vulnerability in token-macro
token-macro did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of files processed with the $XML macro to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction o...
CSRF vulnerability and missing permission checks in electricflow allowed SSRF
A missing permission check in a form validation method in electricflow allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST requests,...
Users with Overall/Read access could enumerate credential IDs in artifactory
artifactory provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an...
Unsafe entry in Script Security list of approved signatures in workflow-remote-loader
workflow-remote-loader provides a custom list of pre-approved signatures for Script Security. Those entries apply to all scripts with sandbox protection, such as Pipeline. One entry provided here was unsafe, as it allowed invoking arbitrary methods, bypassing sandbox protection. The unsafe...
CSRF vulnerability and missing permission check in artifactory allow capturing credentials
artifactory does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Persisted XSS vulnerability in warnings-ng
warnings-ng rendered the name of a custom warnings parser unescaped on Jenkins web pages. This allowed attackers with Job/Configure permission to define a custom parser whose name included HTML and JavaScript, resulting in a persisted cross-site scripting vulnerability. warnings-ng now properly...
XML External Entity processing vulnerability in pipeline-maven
pipeline-maven did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of a temporary directory on the agent that the Maven build is executing on to have Jenkins parse a maliciously crafted XML file that...
influxdb stored credentials in plain text
influxdb stored target passwords unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. influxdb now stores its passwords encrypted...
CSRF vulnerability in artifactory
artifactory implements a number of API endpoints allowing users to trigger various actions related to releasing and promotion. These endpoints do not require POST requests, resulting in a cross-site request forgery vulnerability. As of publication of this advisory, no release containing a fix is...
CSRF vulnerability in warnings-ng
warnings-ng did not require that requests sent to the endpoint used to reset warning counts use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to reset warning counts for future builds. warnings-ng now requires that these requests be sent via POST...
Improper handling of untrusted branches in gitea
Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch's Jenkinsfile content is used instead. gite...
Missing permission check allowed obtaining limited information about system configuration in pam-auth
A missing permission check in pam-auth allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as. Depending on configuration...
Certificate file read vulnerability in credentials
Credentials Plugin allowed the creation of Certificate credentials from a PKCS12 file on the Jenkins controller. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path. Additionally, they cou...
twitter stores credentials in plain text
twitter stores credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability in OAuth callback in github-oauth
github-oauth did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to...
sitemonitor globally and unconditionally disables SSL/TLS certificate validation
sitemonitor unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. sitemonitor no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually...
CSRF vulnerability and missing permission check in ansible-tower allowed capturing credentials
ansible-tower did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
XXE vulnerability via UDP broadcast response in swarm client
swarm allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents. swarm does not configure the XML parser in a way that would prevent XML External Entity XXE processing. This allows unauthenticated attackers o...
Users with Overall/Read access are able to enumerate credential IDs in ansible-tower
ansible-tower provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack ...
azure-ad stored credentials in plain text
azure-ad stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-ad now stores the client secret encrypted...
koji globally and unconditionally disables SSL/TLS certificate validation
koji unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...
aqua-microscanner stored credentials in plain text
aqua-microscanner stored credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. aqua-microscanner now stores credentials encrypted...
CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core
analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...
jira-ext stored credentials in plain text
jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...
azure-publishersettings-credentials stored credentials in plain text
azure-publishersettings-credentials stored the service management certificate unencrypted in credentials.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-publishersettings-credentials has been deprecated...
Sandbox bypass in ontrack
ontrack supports sandboxed Groovy expressions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and...
CSRF vulnerability and missing permission checks in gitlab-plugin allowed capturing credentials
gitlab-plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
CSRF vulnerability and missing permission check in deployit-plugin
A missing permission check in a form validation method in deployit-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting...
Jenkins accepted cached legacy CLI authentication
The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches. This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated. Support for the...
XSS vulnerability in form validation button
The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting XSS vulnerability exploitable by users with the ability to control job names. The affected form control has been rewritten to no longer need to escape job URLs...
CSRF vulnerability and missing permission check in nomad allow SSRF
A missing permission check in a form validation method in nomad allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
CSRF vulnerability and missing permission check in sinatra-chef-builder allow SSRF
A missing permission check in a form validation method in sinatra-chef-builder allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
CSRF vulnerability and missing permission check in labmanager
A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...
CSRF vulnerability and missing permission check in openshift-deployer
A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...
CSRF vulnerability and missing permission check in gearman-plugin
A missing permission check in a form validation method in gearman-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...