Stored XSS vulnerability

The build timeline widget shown on URLs like /view/…/builds did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names. Jenkins now escapes job display names shown on the timeline widget...

Unauthorized users are able to determine when a plugin was extracted from its JPI package

Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users with Overall/Read permission. This allowed unauthorized users to determine the likely install date of a given plugin. The affected files are n...

Unauthorized users could initiate and abort agent launches

The URL that initiates agent launches on the Jenkins controller did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches. Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching...

Arbitrary file read vulnerability

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...

Unauthorized users could cancel queued builds

The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission...

Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart

Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins i...

Configuration as Code Plugin logged passwords in clear text

Configuration as Code Plugin logged secrets set via its configuration to the Jenkins controller system log in plain text. This allowed users with access to the Jenkins log files to obtain these passwords and similar secrets. Secrets are now masked when logging configuration...

Arbitrary file write vulnerability in Fortify CloudScan Plugin

Fortify CloudScan Plugin did not validate file names in rulepack ZIP archives it extracts, resulting in an arbitrary file write vulnerability. Fortify CloudScan Plugin 1.5.2 and newer rejects relative paths escaping the ZIP extraction base directory...

Server-side request forgery vulnerability in URLTrigger Plugin

A form validation method in URLTrigger Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting ...

CollabNet Plugin globally and unconditionally disables SSL/TLS certificate validation

CollabNet Plugin disabled SSL/TLS certificate validation for the entire Jenkins controller JVM by default. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property...

Persisted cross-site scripting vulnerability in Badge Plugin

Badge Plugin stored and displayed user-provided HTML for badges and summaries unprocessed, allowing users with the ability to control badge content to store malicious HTML to be displayed within Jenkins. Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the Jenkins web UI...

AWS CodeDeploy Plugin stored AWS Secret Key in plain text

AWS CodeDeploy Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked fr...

AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job configuration

AWS CodeDeploy Plugin could persist environment variables from the last run of any project with the post-build step configured in the job's config.xml file. In some cases, this allowed users with file system access or Extended Read permission to obtain those potentially sensitive environment...

HTTP session fixation vulnerability in SAML Plugin

SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials

A form action method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GitHub API request to create an API token to an attacker-specified URL. This allowed users with Overall/Read access to Jenkin...

AWS CodePipeline Plugin stored AWS Secret Key in plain text

AWS CodePipeline Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form...

AWS CodeBuild Plugin stored AWS Secret Key in plain text

AWS CodeBuild Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form field...

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials

Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

Arbitrary file read vulnerability in SSH Credentials Plugin with Credentials Binding Plugin

SSH Credentials Plugin allowed the creation of SSH credentials with keys "From a file on Jenkins controller". Credentials Binding Plugin 1.13 and newer allows binding SSH credentials to environment variables. In combination, these two features allow users with the permission to configure a job to...

Configuration as Code Plugin allowed anyone with Overall/Read access to export Jenkins configuration

Configuration as Code Plugin lacked a permission check in the method handling the URL exporting the system configuration. This allowed users with Overall/Read access to Jenkins to obtain this YAML export. This permission check has been added in Configuration as Code Plugin 0.8-alpha...

IBM z/OS Connector Plugin stores password in plain text

IBM z/OS Connector Plugin did not encrypt password credentials stored in its configuration. This could be used by users with Jenkins controller file system access to obtain the password. While masked from view using a password form field, the AWS Secret Key was transferred in plain text to...

Server-side request forgery vulnerability in GitHub Branch Source Plugin

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials

GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...

Server-side request forgery vulnerability in GitHub Plugin

A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request's HTTP response code indicates success, the form validation is returning...

Server-side request forgery vulnerability in Git Plugin

Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, these form validation methods did not require POST requests, resultin...

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...

CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller

AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...

Server-side request forgery vulnerability in CAS Plugin

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...

Kubernetes Plugin printed sensitive build variables to logs

Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry. The plugin now applies masking of sensitive build variables to these pipeline steps...

CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials

GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

CSRF vulnerability and missing permission checks in Black Duck Hub Plugin allowed server-side request forgery, capturing credentials

Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin

Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability. Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input...

XML External Entity processing vulnerability in Black Duck Hub Plugin

Black Duck Hub Plugin's /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint was affected by an XML External Entity XXE processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file...

Users were able to register user names containing control characters

The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters. This could be used to confuse administrators appearing to be a different user while preventing deletion of...

Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration

Black Duck Hub Plugin did not perform permission checks for its /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint. This allowed any user with Overall/Read permission to both read and write the plugin configuration XML. Black Duck Hub Plugin...

Gitlab Hook Plugin stores and displays GitLab API token in plain text

Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to user...

Users with Overall/Read permission were able to send GET requests to any URL

The form validation code for a tool installer improperly checked permissions, allowing any user with Overall/Read permission to submit a HTTP GET request to any user specified URL, and learn whether the response was successful HTTP 200 or not. Additionally, this functionality did not require POST...

Path traversal vulnerability in agent to controller security subsystem

The agent to controller security subsystem ensures that the Jenkins controller is protected from maliciously configured agents. Learn more. A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access. Paths are now...

CLI and UI allow non-admin users to enumerate installed plugins

Users with Overall/Read permission were able use the list-plugins CLI command and view the About Jenkins page to list all installed plugins. Use of the list-plugins CLI command and access to the About Jenkins page now require Overall/Administer permission...

Path traversal vulnerability allows arbitrary file writing in HTML Publisher Plugin

HTML Publisher Plugin allows specifying a name for the HTML reports it publishes. This report name was used in the URL of the report and as a directory name on the Jenkins controller without further processing, resulting in a path traversal vulnerability that allowed overriding files outside the...

Stored XSS vulnerability in S3 Publisher Plugin

S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...

Email Extension Plugin showed plain text SMTP password in configuration form field

Email Extension Plugin stores an SMTP password in the global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...

Open redirect vulnerability in Google Login Plugin

Google Login Plugin redirected users to an arbitrary URL specified as a query parameter after successful login, enabling phishing attacks. Google Login Plugin now only performs redirects to relative URLs...

Session fixation vulnerability in Google Login Plugin

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. The Jenkins CLI now returns the same...

Cross-site scripting vulnerability in confirmation dialogs displaying item names

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items. JavaScript confirmation dialogs that include the item name now properly escape it, so it c...

Reverse Proxy Auth persisted authorities cache on disk

Reverse Proxy Auth Plugin persisted a cache of granted authorities group memberships on disk. This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of...

Copy To Slave Plugin allows access to arbitrary files on the Jenkins controller file system

Copy To Slave Plugin allows users with Job/Configure permissions to configure it in such a way that it allows obtaining arbitrary files accessible to the Jenkins controller process from the Jenkins controller file system. As of publication of this advisory, there is no fix...

Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins controller JVM, resulting in arbitrary code execution. As of publication of this advisory, there is no fix...

CSRF vulnerability and missing permission checks in vSphere Plugin form validation allowed enumerating credentials IDs, capturing credentials, and denial of service

vSphere Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to perform various actions such as: Connect to an attacker-specified vSphere server using attacker-specified credentials IDs obtained through another...