1464 matches found
Jenkins allowed deserialization of <code>URL</code> objects with host components
Jenkins allowed deserialization of URL objects via Remoting agent communication and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods...
"Remember me" cookie was evaluated even if that feature is disabled
The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in. "Remember me" cookies are no longer evaluated when the corresponding feature is disabled...
Unauthorized users could access agent logs
Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...
Ephemeral user record was created on some invalid authentication attempts
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...
Cron expression form validation could enter infinite loop, potentially resulting in denial of service
The form validation for cron expressions e.g. "Poll SCM", "Build periodically" could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely...
Unauthorized users could cancel scheduled restarts initiated from the update center
Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center "Restart Jenkins when installation is complete and no jobs are running" due to a lack of permission checks. Access to the affected URL is now limited to users with...
CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials
Maven Artifact ChoiceListProvider Nexus Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained throu...
Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin
Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...
meliora-testlab Plugin stored API Key in plain text
meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. Additionally, the API key was not masked from view using a password form fiel...
CSRF vulnerability and missing permission checks in Agiletestware Pangolin Connector for TestRail Plugin allowed overriding plugin configuration
Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration. Additionally, the API endpoint did not require...
Anchore Container Image Scanner Plugin stored password in plain text
Anchore Container Image Scanner Plugin stored the password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...
Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate validation
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...
CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery
TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended. Additionally, this form validation method did not...
CSRF vulnerability and missing permission checks in Resource Disposer Plugin
Resource Disposer Plugin did not perform permission checks on an API endpoint. This allowed users with Overall/Read access to Jenkins to stop tracking a specified resource. Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability. This API endpoint now...
CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin
Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host. Additionally, this form validation method did not require POST requests, resultin...
CSRF vulnerability and missing permission checks in Confluence Publisher Plugin
Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials. Additionally, this form validation method did not require POS...
CSRF vulnerability and missing permission checks in Kubernetes Plugin allowed capturing credentials
Kubernetes Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes cluster using attacker-specified credentials IDs obtained through another method, capturing credentia...
Tinfoil Security Plugin stored API Secret Key in plain text
Tinfoil Security Plugin stored the API Secret Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin. Existing...
TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation
TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...
CSRF vulnerability and missing permission checks in SaltStack Plugin allowed capturing credentials
SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials
Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...
Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...
SSH Agent Plugin could reveal SSH key passphrase when used inside pipeline
When using the sshagent step inside a withDockerContainer block in Pipeline, the resulting logging of the ssh-add command included the SSH key passphrase in plain text. The plugin no longer logs the ssh-add invocation that would reveal the passphrase...
XSS vulnerability in Stapler debug mode
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability. Parts of URLs...
Stored XSS vulnerability
The build timeline widget shown on URLs like /view/…/builds did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names. Jenkins now escapes job display names shown on the timeline widget...
Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins i...
Unauthorized users could initiate and abort agent launches
The URL that initiates agent launches on the Jenkins controller did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches. Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching...
Unauthorized users are able to determine when a plugin was extracted from its JPI package
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users with Overall/Read permission. This allowed unauthorized users to determine the likely install date of a given plugin. The affected files are n...
Arbitrary file read vulnerability
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...
Unauthorized users could cancel queued builds
The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission...
CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials
Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
AWS CodePipeline Plugin stored AWS Secret Key in plain text
AWS CodePipeline Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form...
Server-side request forgery vulnerability in URLTrigger Plugin
A form validation method in URLTrigger Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting ...
Configuration as Code Plugin allowed anyone with Overall/Read access to export Jenkins configuration
Configuration as Code Plugin lacked a permission check in the method handling the URL exporting the system configuration. This allowed users with Overall/Read access to Jenkins to obtain this YAML export. This permission check has been added in Configuration as Code Plugin 0.8-alpha...
Configuration as Code Plugin logged passwords in clear text
Configuration as Code Plugin logged secrets set via its configuration to the Jenkins controller system log in plain text. This allowed users with access to the Jenkins log files to obtain these passwords and similar secrets. Secrets are now masked when logging configuration...
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials
A form action method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GitHub API request to create an API token to an attacker-specified URL. This allowed users with Overall/Read access to Jenkin...
AWS CodeDeploy Plugin stored AWS Secret Key in plain text
AWS CodeDeploy Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked fr...
AWS CodeBuild Plugin stored AWS Secret Key in plain text
AWS CodeBuild Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form field...
Arbitrary file write vulnerability in Fortify CloudScan Plugin
Fortify CloudScan Plugin did not validate file names in rulepack ZIP archives it extracts, resulting in an arbitrary file write vulnerability. Fortify CloudScan Plugin 1.5.2 and newer rejects relative paths escaping the ZIP extraction base directory...
IBM z/OS Connector Plugin stores password in plain text
IBM z/OS Connector Plugin did not encrypt password credentials stored in its configuration. This could be used by users with Jenkins controller file system access to obtain the password. While masked from view using a password form field, the AWS Secret Key was transferred in plain text to...
Arbitrary file read vulnerability in SSH Credentials Plugin with Credentials Binding Plugin
SSH Credentials Plugin allowed the creation of SSH credentials with keys "From a file on Jenkins controller". Credentials Binding Plugin 1.13 and newer allows binding SSH credentials to environment variables. In combination, these two features allow users with the permission to configure a job to...
HTTP session fixation vulnerability in SAML Plugin
SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...
AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job configuration
AWS CodeDeploy Plugin could persist environment variables from the last run of any project with the post-build step configured in the job's config.xml file. In some cases, this allowed users with file system access or Extended Read permission to obtain those potentially sensitive environment...
Persisted cross-site scripting vulnerability in Badge Plugin
Badge Plugin stored and displayed user-provided HTML for badges and summaries unprocessed, allowing users with the ability to control badge content to store malicious HTML to be displayed within Jenkins. Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the Jenkins web UI...
CollabNet Plugin globally and unconditionally disables SSL/TLS certificate validation
CollabNet Plugin disabled SSL/TLS certificate validation for the entire Jenkins controller JVM by default. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property...
Server-side request forgery vulnerability in GitHub Plugin
A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request's HTTP response code indicates success, the form validation is returning...
Kubernetes Plugin printed sensitive build variables to logs
Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry. The plugin now applies masking of sensitive build variables to these pipeline steps...
CSRF vulnerability and missing permission checks in Black Duck Hub Plugin allowed server-side request forgery, capturing credentials
Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Server-side request forgery vulnerability in Git Plugin
Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, these form validation methods did not require POST requests, resultin...
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials
GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...