PAM Authentication Plugin did not properly validate user accounts

The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts. The bundled version of the library was updated to include the fix for this...

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Argus Notifier Plugin

Argus Notifier Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as...

CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials

HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method,...

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Mesos Plugin

Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part ...

Crowd 2 Integration Plugin stored credentials in plain text

Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk an...

Missing permission check in Metadata Plugin allows unauthorized users to change Metadata Plugin configuration

Metadata Plugin lacks a permission check that allows users with Overall/Read access to Jenkins to change the plugin's configuration. As of publication of this advisory, there is no fix...

Stored XSS vulnerability in Git Changelog Plugin

Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting XSS vulnerability exploitable by users with commit access to specific Git repositories. Git Changelog Plugin 2.7 and newer escape Git commit messages shown on th...

Arachni Scanner Plugin stored credentials in plain text

Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin. Existing configurations are migrated...

CSRF vulnerability and missing permission checks in Argus Notifier Plugin allowed capturing credentials

Argus Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

Unprivileged users with Overall/Read access are able to enumerate credential IDs in HipChat Plugin

HipChat Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of ...

Server-side request forgery vulnerability in Mesos Plugin

A missing permission check in a form validation method in Mesos Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. Thi...

Server-side request forgery vulnerability in Crowd 2 Integration Plugin

Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings. Additionally, this form validation...

CSRF vulnerability and missing permission checks in MQ Notifier Plugin

Users with Overall/Read permission were able to access MQ Notifier Plugin's form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability. The...

Artifactory Plugin stored old directly entered credentials unencrypted on disk

Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system. Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using...

SonarQube Scanner Plugin stored server authentication token in plain text

SonarQube Scanner Plugin stored a server authentication token unencrypted in its global configuration file on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. The plugin now stores the token encrypted in the configuration files on disk...

CSRF vulnerability and missing permission checks in Chatter Notifier Plugin allowed capturing credentials

Chatter Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Chatter Notifier Plugin

Chatter Notifier Plugin provides a list of applicable credential IDs to allow users configuring the plugin's functionality to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be...

Publish Over Dropbox Plugin stored credentials in plain text

Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system. Additionally, the authorization code was not masked from view usi...

XML External Entity Processing Vulnerability in Monitoring Plugin

The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity XXE processing vulnerability. This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks...

CSRF vulnerability in JUnit Plugin

A URL used to allow setting the description of a test object in JUnit Plugin did not require POST requests, resulting in a cross-site request forgery vulnerability. That URL now requires POST requests be sent...

Reflected XSS vulnerability in Job Config History Plugin

Job Config History Plugin did not escape some query parameters shown on its pages, resulting in a reflected cross-site scripting XSS vulnerability. Job Config History Plugin now globally applies variable escaping to its pages...

CSRF vulnerability and missing permission checks in Jira Plugin allowed capturing credentials

Jira Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

Stored XSS vulnerability in Config File Provider Plugin

Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting XSS vulnerability. Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI...

CSRF vulnerability in Config File Provider Plugin

A URL used to save configuration files based on form submissions did not require POST requests, resulting in a CSRF vulnerability. This URL now requires POST requests...

Stored XSS vulnerability in Rebuild Plugin

Rebuild Plugin did not escape parameter descriptions shown on the rebuild form page, resulting in a stored Cross-Site Scripting XSS vulnerability exploitable by users with the permission to configure jobs. Rebuild Plugin now applies the configured markup formatter to the parameter descriptions it...

CSRF vulnerability in Email Extension Template Plugin

Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates. These URLs now require POST requests...

CSRF vulnerability and missing permission checks in Dimensions Plugin

Users with Overall/Read permission were able to access Dimensions Plugin's form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability...

Dimensions Plugin stored credentials in plain text

Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk and no longer...

Cron expression form validation could enter infinite loop, potentially resulting in denial of service

The form validation for cron expressions e.g. "Poll SCM", "Build periodically" could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely...

"Remember me" cookie was evaluated even if that feature is disabled

The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in. "Remember me" cookies are no longer evaluated when the corresponding feature is disabled...

Unauthorized users could access agent logs

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...

Ephemeral user record was created on some invalid authentication attempts

When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...

Jenkins allowed deserialization of <code>URL</code> objects with host components

Jenkins allowed deserialization of URL objects via Remoting agent communication and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods...

Unauthorized users could cancel scheduled restarts initiated from the update center

Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center "Restart Jenkins when installation is complete and no jobs are running" due to a lack of permission checks. Access to the affected URL is now limited to users with...

CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials

Maven Artifact ChoiceListProvider Nexus Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained throu...

meliora-testlab Plugin stored API Key in plain text

meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. Additionally, the API key was not masked from view using a password form fiel...

Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate validation

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...

CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials

Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...

CSRF vulnerability and missing permission checks in Agiletestware Pangolin Connector for TestRail Plugin allowed overriding plugin configuration

Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration. Additionally, the API endpoint did not require...

Anchore Container Image Scanner Plugin stored password in plain text

Anchore Container Image Scanner Plugin stored the password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

CSRF vulnerability and missing permission checks in Resource Disposer Plugin

Resource Disposer Plugin did not perform permission checks on an API endpoint. This allowed users with Overall/Read access to Jenkins to stop tracking a specified resource. Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability. This API endpoint now...

CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin

Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host. Additionally, this form validation method did not require POST requests, resultin...

CSRF vulnerability and missing permission checks in Confluence Publisher Plugin

Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials. Additionally, this form validation method did not require POS...

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...

CSRF vulnerability and missing permission checks in Kubernetes Plugin allowed capturing credentials

Kubernetes Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes cluster using attacker-specified credentials IDs obtained through another method, capturing credentia...

SSH Agent Plugin could reveal SSH key passphrase when used inside pipeline

When using the sshagent step inside a withDockerContainer block in Pipeline, the resulting logging of the ssh-add command included the SSH key passphrase in plain text. The plugin no longer logs the ssh-add invocation that would reveal the passphrase...

Tinfoil Security Plugin stored API Secret Key in plain text

Tinfoil Security Plugin stored the API Secret Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin. Existing...

CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery

TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...