XML External Entity processing vulnerability in pipeline-maven

pipeline-maven did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of a temporary directory on the agent that the Maven build is executing on to have Jenkins parse a maliciously crafted XML file that...

Unsafe entry in Script Security list of approved signatures in workflow-remote-loader

workflow-remote-loader provides a custom list of pre-approved signatures for Script Security. Those entries apply to all scripts with sandbox protection, such as Pipeline. One entry provided here was unsafe, as it allowed invoking arbitrary methods, bypassing sandbox protection. The unsafe...

Improper handling of untrusted branches in gitea

Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch's Jenkinsfile content is used instead. gite...

CSRF vulnerability in artifactory

artifactory implements a number of API endpoints allowing users to trigger various actions related to releasing and promotion. These endpoints do not require POST requests, resulting in a cross-site request forgery vulnerability. As of publication of this advisory, no release containing a fix is...

Certificate file read vulnerability in credentials

Credentials Plugin allowed the creation of Certificate credentials from a PKCS12 file on the Jenkins controller. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path. Additionally, they cou...

Missing permission check allowed obtaining limited information about system configuration in pam-auth

A missing permission check in pam-auth allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as. Depending on configuration...

sitemonitor globally and unconditionally disables SSL/TLS certificate validation

sitemonitor unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. sitemonitor no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually...

CSRF vulnerability and missing permission check in ansible-tower allowed capturing credentials

ansible-tower did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...

Users with Overall/Read access are able to enumerate credential IDs in ansible-tower

ansible-tower provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack ...

twitter stores credentials in plain text

twitter stores credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

koji globally and unconditionally disables SSL/TLS certificate validation

koji unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...

CSRF vulnerability in OAuth callback in github-oauth

github-oauth did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to...

XXE vulnerability via UDP broadcast response in swarm client

swarm allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents. swarm does not configure the XML parser in a way that would prevent XML External Entity XXE processing. This allows unauthenticated attackers o...

aqua-microscanner stored credentials in plain text

aqua-microscanner stored credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. aqua-microscanner now stores credentials encrypted...

CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core

analysis-core has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing...

azure-ad stored credentials in plain text

azure-ad stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-ad now stores the client secret encrypted...

jira-ext stored credentials in plain text

jira-ext stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. jira-ext now stores credentials encrypted...

CSRF vulnerability and missing permission check in deployit-plugin

A missing permission check in a form validation method in deployit-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting...

Sandbox bypass in ontrack

ontrack supports sandboxed Groovy expressions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and...

CSRF vulnerability and missing permission checks in gitlab-plugin allowed capturing credentials

gitlab-plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...

azure-publishersettings-credentials stored credentials in plain text

azure-publishersettings-credentials stored the service management certificate unencrypted in credentials.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-publishersettings-credentials has been deprecated...

Jenkins accepted cached legacy CLI authentication

The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches. This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated. Support for the...

XSS vulnerability in form validation button

The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting XSS vulnerability exploitable by users with the ability to control job names. The affected form control has been rewritten to no longer need to escape job URLs...

veracode-scanner Plugin stores credentials in plain text

veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

koji stores credentials in plain text

koji stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

CSRF vulnerability and missing permission check in kmap-jenkins allow SSRF

A missing permission check in a form validation method in kmap-jenkins allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in...

kmap-jenkins stores credentials in plain text

kmap-jenkins stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

crittercism-dsym stores API key in plain text

crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

cloudcoreo-deploytime stores credentials in plain text

cloudcoreo-deploytime stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

jenkins-jira-issue-updater stores credentials in plain text

jenkins-jira-issue-updater stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

websphere-deployer stores credentials in plain text

websphere-deployer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

Bitbucket Approve Plugin stores credentials in plain text

Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucketapprove.BitbucketApprover.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

zap stores credentials in plain text

zap stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

jenkins-cloudformation-plugin stores credentials in plain text

jenkins-cloudformation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

AWS CloudWatch Logs Publisher Plugin stores credentials in plain text

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

aws-device-farm stores credentials in plain text

aws-device-farm stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

Aqua Security Scanner Plugin stores credentials in plain text

Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

wildfly-deployer stores credentials in plain text

wildfly-deployer stores deployment credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

Audit to Database Plugin stores credentials in plain text

Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

CSRF vulnerability and missing permission check in audit2db allow connecting to arbitrary databases

A missing permission check in a form validation method in audit2db allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...

CSRF vulnerability and missing permission check in sinatra-chef-builder allow SSRF

A missing permission check in a form validation method in sinatra-chef-builder allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

upload-pgyer stores credentials in plain text

upload-pgyer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

Open STF Plugin stores credentials in plain text

Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

CSRF vulnerability and missing permission check in openid allow SSRF

A missing permission check in a form validation method in openid allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

starteam stores credentials in plain text

starteam stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

klaros-testmanagement stores credentials in plain text

klaros-testmanagement stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

minio-storage stores credentials in plain text

minio-storage stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

youtrack-plugin stored credentials in plain text

youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...

aws-beanstalk-publisher-plugin stores credentials in plain text

aws-beanstalk-publisher-plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

HockeyApp stores credentials in plain text

HockeyApp stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...