1464 matches found
Server-side request forgery vulnerability in GitHub Branch Source Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials
GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller
AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...
CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials
Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...
Server-side request forgery vulnerability in CAS Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin
Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability. Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input...
Users were able to register user names containing control characters
The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters. This could be used to confuse administrators appearing to be a different user while preventing deletion of...
Users with Overall/Read permission were able to send GET requests to any URL
The form validation code for a tool installer improperly checked permissions, allowing any user with Overall/Read permission to submit a HTTP GET request to any user specified URL, and learn whether the response was successful HTTP 200 or not. Additionally, this functionality did not require POST...
Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration
Black Duck Hub Plugin did not perform permission checks for its /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint. This allowed any user with Overall/Read permission to both read and write the plugin configuration XML. Black Duck Hub Plugin...
XML External Entity processing vulnerability in Black Duck Hub Plugin
Black Duck Hub Plugin's /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint was affected by an XML External Entity XXE processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file...
Gitlab Hook Plugin stores and displays GitLab API token in plain text
Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to user...
Path traversal vulnerability in agent to controller security subsystem
The agent to controller security subsystem ensures that the Jenkins controller is protected from maliciously configured agents. Learn more. A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access. Paths are now...
CLI and UI allow non-admin users to enumerate installed plugins
Users with Overall/Read permission were able use the list-plugins CLI command and view the About Jenkins page to list all installed plugins. Use of the list-plugins CLI command and access to the About Jenkins page now require Overall/Administer permission...
Email Extension Plugin showed plain text SMTP password in configuration form field
Email Extension Plugin stores an SMTP password in the global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
Stored XSS vulnerability in S3 Publisher Plugin
S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...
Path traversal vulnerability allows arbitrary file writing in HTML Publisher Plugin
HTML Publisher Plugin allows specifying a name for the HTML reports it publishes. This report name was used in the URL of the report and as a directory name on the Jenkins controller without further processing, resulting in a path traversal vulnerability that allowed overriding files outside the...
Session fixation vulnerability in Google Login Plugin
Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...
Open redirect vulnerability in Google Login Plugin
Google Login Plugin redirected users to an arbitrary URL specified as a query parameter after successful login, enabling phishing attacks. Google Login Plugin now only performs redirects to relative URLs...
CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission
The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. The Jenkins CLI now returns the same...
Cross-site scripting vulnerability in confirmation dialogs displaying item names
Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items. JavaScript confirmation dialogs that include the item name now properly escape it, so it c...
Ansible Plugin disabled host key verification by default
Ansible Plugin disabled host key verification by default, having it only as an opt-in option. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out. Existing configurations that previously did not opt into host key verification will have host ke...
GitHub Pull Request Builder Plugin stores webhook secret in plain text
GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords throug...
Perforce Plugin uses ineffective credentials encryption
Perforce Plugin encrypts its credentials using DES and an encryption key stored in its public source code, so it only serves as basic obfuscation. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could resul...
CSRF vulnerability and missing permission checks in vSphere Plugin form validation allowed enumerating credentials IDs, capturing credentials, and denial of service
vSphere Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to perform various actions such as: Connect to an attacker-specified vSphere server using attacker-specified credentials IDs obtained through another...
Perforce Plugin credentials can be obtained by users with Job/Extended Read permission
Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations. Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins,...
Copy To Slave Plugin allows access to arbitrary files on the Jenkins controller file system
Copy To Slave Plugin allows users with Job/Configure permissions to configure it in such a way that it allows obtaining arbitrary files accessible to the Jenkins controller process from the Jenkins controller file system. As of publication of this advisory, there is no fix...
GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml
GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects...
Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport SECURITY-95. Cucumber Living Documentation Plugin disabled this XSS protection until Jenki...
vSphere Plugin does not validate SSL/TLS certificates
vSphere Plugin disabled SSL/TLS certificate validation unconditionally, allowing potential man-in-the-middle attacks. vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by default...
Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM
Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins controller JVM, resulting in arbitrary code execution. As of publication of this advisory, there is no fix...
Mailer Plugin allowed unauthorized users to send test emails
A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could resu...
Reverse Proxy Auth persisted authorities cache on disk
Reverse Proxy Auth Plugin persisted a cache of granted authorities group memberships on disk. This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of...
Coverity Plugin stored keystore and private key passwords in plain text
The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-sit...
Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability
The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262. As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers...
Reflected cross-site-scripting vulnerability in report URL of CppNCSS Plugin
CppNCSS Plugin did not properly escape the report name and graph name, resulting in a reflected cross-site scripting vulnerability. Report name and graph name are now properly escaped...
Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin
Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with the Google Play API. This functionality did not check permissions, allowing any user with Overall/Read permission to get a...
Disclosure of user names and node names to unauthorized users through post-commit hook URL in Git Plugin
The class handling unauthenticated Git post-commit hook notification requests at the /git/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyo...
Disclosure of user names and node names to unauthorized users through post-commit hook URL in Mercurial Plugin
The class handling unauthenticated Mercurial post-commit hook notification requests at the /mercurial/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...
Promoted Builds Plugin allowed unauthorized users to run some promotion processes
Users with Job/Read access were able to approve and re-execute promotion processes with a manual promotion condition that did not specify a list of users allowed to manually approve the promotion. The plugin now requires users to have the Promotion/Promote permission to be able to approve or...
Environment Injector Plugin before 1.91 stored sensitive build variables
EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 released on Mar 08, 2015 however did not exempt sensitive variables...
Improper access control in Gerrit Trigger Plugin allowed unauthorized users to read some server configuration information
Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to access a form that showed the configuration of Gerrit servers in Jenkins. The key file password was only shown in its encrypted form, if configured. Other options were plainly visible. The missing...
Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations
Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions: - Configure Gerrit servers - Connect and disconnect configured Gerrit servers The missing permission checks have been added...
Improper access control allowed users without ManageOwnership permission to change job ownership metadata in Job and Node ownership Plugin
Job and Node ownership Plugin did not prevent the ownership metadata being overwritten when a job or node configuration was updated from the CLI or using the remote API POST config.xml. This allowed users with Job/Configure permission but without ManageOwnership/Jobs permission to change job...
Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin
The class handling unauthenticated Subversion post-commit hook notification requests at the /subversion/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...
Stored cross-site scripting vulnerability in TestLink Plugin
Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names. The plugin now properly escapes its HTML output...
Improper input validation allows unintended access to plugin resource files on case-insensitive file systems
Jenkins did not take into account case-insensitive file systems when preventing access to plugin resource files that should not be accessible. This allowed users with Overall/Read permission to download plugin resource files in META-INF and WEB-INF directories, such as the plugins' JAR files, whi...
Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery
The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request's HTTP respon...
Path traversal vulnerability allows access to files outside plugin resources
Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins controller they should not have access to. On Windows, any file accessible to the...
SECURITY-698
Bulletin has no description...
SECURITY-699
Bulletin has no description...