1464 matches found
Sandbox Bypass in Script Security Plugin
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix fo...
Sandbox Bypass via CSRF in Warnings Next Generation Plugin
Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site...
Recursive token expansion results in information disclosure and DoS in Token Macro Plugin
Token Macro Plugin recursively applied token expansion. This could be used by users able to affect input to token expansion such as change log messages, to inject additional tokens into the input, which would then be expanded, resulting in information disclosure for example values of environment...
CSRF vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials
Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
CSRF vulnerability and missing permission checks in Kanboard Plugin allowed server-side request forgery
Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF...
Monitoring Plugin did not apply CSRF protection even if enabled in Jenkins
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled. Monitoring Plugin now checks on startup whether Jenkins has CSRF protection enabled and enables its...
Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins. While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions...
Administrators could persist access to Jenkins using crafted 'Remember me' cookie
Users with the Overall/RunScripts permission typically administrators were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for...
Sandbox Bypass in Script Security and Pipeline Plugins
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Re...
Code execution through crafted URLs
Jenkins uses the Stapler web framework for HTTP request handling. Stapler's basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked...
Forced migration of user records
The fix for SECURITY-499 introduced a mechanism that renamed user directories on disk as a user with an unsafe user name user ID is loaded. Insufficient input validation allowed attackers to rename such user directories even for users with a safe user name by submitting a crafted user name when...
Workspace browser allowed accessing files outside the workspace
The file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ followed symbolic links to locations outside the directory being browsed. While builds typically have access to the file system outside the workspace allocated by Jenkins, this should not extend to beyond the...
Potential denial of service through cron expression form validation
The form validation for cron expressions e.g. "Poll SCM", "Build periodically" could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely...
Sandbox Bypass in Script Security and Pipeline Groovy Plugins
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...
Path traversal vulnerability in Stapler allowed accessing internal data
A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type. This could be used to access internal data of routable objects, commonly by showing their string representation toString...
Session fixation vulnerability on user signup
When signing up for a new user account on instances using Jenkins' own user database, Jenkins did not invalidate the existing session and create a new one. This allowed session fixation. Jenkins now invalidates the existing session and creates a new one when logging in after user signup...
Ephemeral user record creation
By accessing a specific crafted URL on Jenkins instances using Jenkins' own user database, users without Overall/Read access could create ephemeral user records. This behavior could be abused to create a large number of ephemeral user records in memory. Accessing this URL now no longer results in...
Failures to process form submission data could result in secrets being displayed or written to logs
When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission. Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in...
Arbitrary file write vulnerability using file parameter definitions
Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to archive the uploaded file on the Jenkins controller, resulting in an arbitrary file write vulnerability. File parameter...
Reflected XSS vulnerability
The wrapper query parameter for the XML variant of the Jenkins remote API did not validate the specified tag name. This resulted in a reflected cross-site scripting vulnerability. Only legal XML tag names are now allowed for the wrapper query parameter...
Ephemeral user record was created on some invalid authentication attempts
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Mesos Plugin
Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part ...
CSRF vulnerability in JUnit Plugin
A URL used to allow setting the description of a test object in JUnit Plugin did not require POST requests, resulting in a cross-site request forgery vulnerability. That URL now requires POST requests be sent...
CSRF vulnerability in Config File Provider Plugin
A URL used to save configuration files based on form submissions did not require POST requests, resulting in a CSRF vulnerability. This URL now requires POST requests...
CSRF vulnerability in Email Extension Template Plugin
Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates. These URLs now require POST requests...
SonarQube Scanner Plugin stored server authentication token in plain text
SonarQube Scanner Plugin stored a server authentication token unencrypted in its global configuration file on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. The plugin now stores the token encrypted in the configuration files on disk...
Stored XSS vulnerability in Git Changelog Plugin
Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting XSS vulnerability exploitable by users with commit access to specific Git repositories. Git Changelog Plugin 2.7 and newer escape Git commit messages shown on th...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Argus Notifier Plugin
Argus Notifier Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as...
CSRF vulnerability and missing permission checks in Dimensions Plugin
Users with Overall/Read permission were able to access Dimensions Plugin's form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability...
XML External Entity Processing Vulnerability in Monitoring Plugin
The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity XXE processing vulnerability. This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks...
Server-side request forgery vulnerability in Mesos Plugin
A missing permission check in a form validation method in Mesos Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. Thi...
Crowd 2 Integration Plugin stored credentials in plain text
Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk an...
Artifactory Plugin stored old directly entered credentials unencrypted on disk
Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system. Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using...
PAM Authentication Plugin did not properly validate user accounts
The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts. The bundled version of the library was updated to include the fix for this...
Arachni Scanner Plugin stored credentials in plain text
Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin. Existing configurations are migrated...
CSRF vulnerability and missing permission checks in Argus Notifier Plugin allowed capturing credentials
Argus Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
CSRF vulnerability and missing permission checks in Chatter Notifier Plugin allowed capturing credentials
Chatter Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...
Publish Over Dropbox Plugin stored credentials in plain text
Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system. Additionally, the authorization code was not masked from view usi...
CSRF vulnerability and missing permission checks in Jira Plugin allowed capturing credentials
Jira Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Stored XSS vulnerability in Config File Provider Plugin
Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting XSS vulnerability. Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in HipChat Plugin
HipChat Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of ...
Server-side request forgery vulnerability in Crowd 2 Integration Plugin
Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings. Additionally, this form validation...
CSRF vulnerability and missing permission checks in MQ Notifier Plugin
Users with Overall/Read permission were able to access MQ Notifier Plugin's form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability. The...
Stored XSS vulnerability in Metadata Plugin
A stored cross-site scripting XSS vulnerability in Metadata Plugin allows users with permission to change metadata definitions to insert arbitrary HTML/Javascript into Jenkins pages. As of publication of this advisory, there is no fix...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Chatter Notifier Plugin
Chatter Notifier Plugin provides a list of applicable credential IDs to allow users configuring the plugin's functionality to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be...
Dimensions Plugin stored credentials in plain text
Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk and no longer...
Stored XSS vulnerability in Rebuild Plugin
Rebuild Plugin did not escape parameter descriptions shown on the rebuild form page, resulting in a stored Cross-Site Scripting XSS vulnerability exploitable by users with the permission to configure jobs. Rebuild Plugin now applies the configured markup formatter to the parameter descriptions it...
Reflected XSS vulnerability in Job Config History Plugin
Job Config History Plugin did not escape some query parameters shown on its pages, resulting in a reflected cross-site scripting XSS vulnerability. Job Config History Plugin now globally applies variable escaping to its pages...
CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials
HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method,...
Missing permission check in Metadata Plugin allows unauthorized users to change Metadata Plugin configuration
Metadata Plugin lacks a permission check that allows users with Overall/Read access to Jenkins to change the plugin's configuration. As of publication of this advisory, there is no fix...