Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
JenkinsRecent
RecentMost viewed

1442 matches found

Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•2 views

octopusdeploy stores credentials in plain text

octopusdeploy stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

VS Team Services Continuous Deployment Plugin stores credentials in plain text

vsts-cd stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

Audit to Database Plugin stores credentials in plain text

Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

CSRF vulnerability and missing permission check in audit2db allow connecting to arbitrary databases

A missing permission check in a form validation method in audit2db allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...

6.5CVSS6.4AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•6 views

CSRF vulnerability and missing permission check in openshift-deployer

A missing permission check in a form validation method in openshift-deployer allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

CSRF vulnerability and missing permission check in gearman-plugin

A missing permission check in a form validation method in gearman-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

6.5CVSS6.3AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

fabric-beta-publisher stores credentials in plain text

fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•2 views

CSRF vulnerability and missing permission check in cloudtest allow SSRF

A missing permission check in a form validation method in cloudtest allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options. Additionally, the form validation method does not require POST...

6.5CVSS6.3AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•2 views

Perfecto Mobile Plugin stores credentials in plain text

Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01186EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

jabber-server-plugin stores credentials in plain text

jabber-server-plugin stores credentials unencrypted in its global configuration file de.enexus.jabber.JabberBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

CSRF vulnerability and missing permission check in openid allow SSRF

A missing permission check in a form validation method in openid allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

6.5CVSS6.3AI score0.01549EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

starteam stores credentials in plain text

starteam stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

Assembla Auth Plugin stores credentials in plain text

Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

klaros-testmanagement stores credentials in plain text

klaros-testmanagement stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

CSRF vulnerability and missing permission check in jenkins-reviewbot allow SSRF

A missing permission check in a form validation method in jenkins-reviewbot allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting ...

6.5CVSS6.3AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

mabl-integration stores credentials in plain text

mabl-integration stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

diawi-upload stores credentials in plain text

diawi-upload stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

minio-storage stores credentials in plain text

minio-storage stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

deployhub stores credentials in plain text

deployhub stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•5 views

youtrack-plugin stored credentials in plain text

youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•5 views

CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF

A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

netsparker-cloud-scan stored credentials in plain text

netsparker-cloud-scan stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system. netsparker-cloud-scan now stores API tokens...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

CSRF vulnerability and missing permission check in kmap-jenkins allow SSRF

A missing permission check in a form validation method in kmap-jenkins allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in...

6.5CVSS6.4AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

Crowd Integration Plugin stores credentials in plain text

Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01622EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

relution-publisher stores credentials in plain text

relution-publisher stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relutionpublisher.configuration.global.StoreConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

kmap-jenkins stores credentials in plain text

kmap-jenkins stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•4 views

crittercism-dsym stores API key in plain text

crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

sra-deploy stores credentials in plain text

sra-deploy stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

sametime stores credentials in plain text

sametime stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

koji stores credentials in plain text

koji stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•3 views

cloudcoreo-deploytime stores credentials in plain text

cloudcoreo-deploytime stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/04/03 12:0 a.m.•2 views

TestFairy stores credentials in plain text

TestFairy stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.4AI score0.01676EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•8 views

Codebeamer Test Results Trend Updater Plugin stored password in plain text

Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. The plugin now...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•4 views

CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials

Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stor...

7.5CVSS6AI score0.0146EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•3 views

ECS Publisher Plugin stored and displayed API token in plain text

ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This token could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Additionally, the API token was not mask...

6.5CVSS6.5AI score0.01613EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•3 views

PRQA Plugin stored password in plain text

PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk...

7.8CVSS5.9AI score0.00298EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•5 views

Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin

Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•2 views

SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin

A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation methods did not require POST requests, resulting in a CSR...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•2 views

Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin

Sandbox protection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types. Script Security and Pipeline: Groovy have been hardened to prevent these methods...

9.8CVSS7AI score0.03338EPSS
Exploits0Affected Software2
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/25 12:0 a.m.•5 views

XSS vulnerability in Lockable Resources Plugin

Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting XSS vulnerability. The plugin now properly escapes resource names in its scripts...

5.4CVSS6AI score0.01386EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•6 views

Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin

A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password. Additionally, this form validation...

4.3CVSS5.5AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•8 views

OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin stored password in plain text

OSF Builder Suite For Salesforce Commerce Cloud : : Deploy Plugin stored the HTTP proxy username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The...

3.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•6 views

SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud

A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as...

4.3CVSS5.5AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•2 views

Script security sandbox bypass in Job DSL Plugin

Job DSL Plugin supports sandboxed Groovy expressions for Job DSL definitions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the Job DSL scripts to bypass the sandbox...

9.9CVSS8.8AI score0.03017EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•3 views

Information disclosure in Azure VM Agents Plugin

A missing permission check in a form validation method in Azure VM Agents Plugin allowed users with Overall/Read access to verify a submitted configuration, obtaining limited information about the Azure account and configuration. Additionally, this form validation method did not require POST...

5CVSS5.2AI score0.01017EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•4 views

Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration

A missing permission check in an HTTP endpoint allowed users with Overall/Read access to attach a public IP address to an Azure VM in Azure VM Agents Plugin, making a virtual machine publicly accessible. Additionally, this form validation method did not require POST requests, resulting in a CSRF...

4.3CVSS5.2AI score0.00931EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•3 views

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin

Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as...

6.5CVSS6.5AI score0.01301EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•4 views

Repository Connector Plugin stored password in plain text

Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

7.8CVSS6.3AI score0.00393EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•3 views

AppDynamics Dashboard Plugin stored password in plain text

AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a...

8.8CVSS6.5AI score0.01426EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories•added 2019/03/06 12:0 a.m.•7 views

Rabbit-MQ Publisher Plugin stored password in plain text

Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

3.3CVSS5.3AI score
Exploits0Affected Software1
Total number of security vulnerabilities1442