Perforce Plugin uses ineffective credentials encryption

Perforce Plugin encrypts its credentials using DES and an encryption key stored in its public source code, so it only serves as basic obfuscation. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could resul...

Ansible Plugin disabled host key verification by default

Ansible Plugin disabled host key verification by default, having it only as an opt-in option. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out. Existing configurations that previously did not opt into host key verification will have host ke...

Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins controller JVM, resulting in arbitrary code execution. As of publication of this advisory, there is no fix...

Reverse Proxy Auth persisted authorities cache on disk

Reverse Proxy Auth Plugin persisted a cache of granted authorities group memberships on disk. This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of...

GitHub Pull Request Builder Plugin stores webhook secret in plain text

GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords throug...

GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml

GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects...

Perforce Plugin credentials can be obtained by users with Job/Extended Read permission

Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations. Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins,...

Mailer Plugin allowed unauthorized users to send test emails

A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could resu...

Environment Injector Plugin before 1.91 stored sensitive build variables

EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 released on Mar 08, 2015 however did not exempt sensitive variables...

Promoted Builds Plugin allowed unauthorized users to run some promotion processes

Users with Job/Read access were able to approve and re-execute promotion processes with a manual promotion condition that did not specify a list of users allowed to manually approve the promotion. The plugin now requires users to have the Promotion/Promote permission to be able to approve or...

Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin

Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with the Google Play API. This functionality did not check permissions, allowing any user with Overall/Read permission to get a...

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to read some server configuration information

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to access a form that showed the configuration of Gerrit servers in Jenkins. The key file password was only shown in its encrypted form, if configured. Other options were plainly visible. The missing...

Reflected cross-site-scripting vulnerability in report URL of CppNCSS Plugin

CppNCSS Plugin did not properly escape the report name and graph name, resulting in a reflected cross-site scripting vulnerability. Report name and graph name are now properly escaped...

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Git Plugin

The class handling unauthenticated Git post-commit hook notification requests at the /git/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyo...

Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability

The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262. As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers...

Coverity Plugin stored keystore and private key passwords in plain text

The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-sit...

Stored cross-site scripting vulnerability in TestLink Plugin

Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names. The plugin now properly escapes its HTML output...

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions: - Configure Gerrit servers - Connect and disconnect configured Gerrit servers The missing permission checks have been added...

Improper access control allowed users without ManageOwnership permission to change job ownership metadata in Job and Node ownership Plugin

Job and Node ownership Plugin did not prevent the ownership metadata being overwritten when a job or node configuration was updated from the CLI or using the remote API POST config.xml. This allowed users with Job/Configure permission but without ManageOwnership/Jobs permission to change job...

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin

The class handling unauthenticated Subversion post-commit hook notification requests at the /subversion/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Mercurial Plugin

The class handling unauthenticated Mercurial post-commit hook notification requests at the /mercurial/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...

Improper input validation allows unintended access to plugin resource files on case-insensitive file systems

Jenkins did not take into account case-insensitive file systems when preventing access to plugin resource files that should not be accessible. This allowed users with Overall/Read permission to download plugin resource files in META-INF and WEB-INF directories, such as the plugins' JAR files, whi...

Path traversal vulnerability allows access to files outside plugin resources

Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins controller they should not have access to. On Windows, any file accessible to the...

Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery

The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request's HTTP respon...

SECURITY-698

Bulletin has no description...

SECURITY-699

Bulletin has no description...

SECURITY-660

Bulletin has no description...

SECURITY-659

Bulletin has no description...

SECURITY-521

Bulletin has no description...

SECURITY-694

Bulletin has no description...

SECURITY-695

Bulletin has no description...

SECURITY-675

Bulletin has no description...

SECURITY-655

Bulletin has no description...

SECURITY-656

Bulletin has no description...

SECURITY-657

Bulletin has no description...

SECURITY-507

Bulletin has no description...

SECURITY-658

Bulletin has no description...

SECURITY-607

Bulletin has no description...

Persisted XSS vulnerability in autocompletion suggestions

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. Known previously unsafe sources for thes...

Unsafe use of user names as directory names

Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of...