CSRF vulnerability

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets e.g., Build Queue and Build Executor Status widgets, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability...

Encrypted values of secrets stored in view configuration revealed to users with View/Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the 2016-05-11...

Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI. This allows attackers with Agent/Extended Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the...

Improper handling of case sensitivity in oic-auth

oic-auth 4.452.v2849bd3945fa and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive. On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case,...

atlassian-bitbucket-server-integration allows bypassing CSRF protection for any URL

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. atlassian-bitbucket-server-integration implements this extension point to support OAuth 1.0 authentication. In atlassian-bitbucket-server-integration 2.1.0 through 4.1.3 both...

Tokens stored in plain text by zoom

zoom 1.3 and earlier stores Zoom integration tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. zoom 1.4 stores Zoom integration...

Tokens displayed without masking by zoom

zoom requires Zoom integration tokens for Zoom Build Notifier post-build actions. In zoom 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. zoom 1.6 masks Zoom integration tokens displayed on the job...

CSRF vulnerability and missing permission checks in service-fabric

service-fabric 1.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Cache confusion in eiffel-broadcaster

eiffel-broadcaster allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential. eiffel-broadcaster 2.8.0 through 2.10.2 both inclusive uses the credential ID as the cache key. This allows attackers able to...

Disabled permissions can be granted by folder-auth

folder-auth 217.vd5b18537403e and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted typically optional permissions, like Overall/Manage to access functionality they're no longer entitled to. As of publication of this advisory, the...

Incorrect permission check in gitlab-plugin allows enumerating credentials IDs

gitlab-plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token credentials and Secret text...

Denial of service vulnerability in bundled json-lib

Jenkins uses the library https://github.com/jenkinsci/json-liborg.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project's fork of https://search.maven.org/artifact/net.sf.json-lib/json-libnet.sf.json-lib:json-lib, which has since been renamed to...

Stored XSS vulnerability in simple-queue

simple-queue 1.4.4 and earlier does not escape the view name. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Create permission. simple-queue 1.4.5 escapes the view name...

Path traversal vulnerability in filesystem-list-parameter-plugin

filesystem-list-parameter-plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. filesystem-list-parameter-plugin 0.0.15 ensures that...

Missing permission check in script-security

script-security 1367.vdf2fc45f229c and earlier, except 1365.1367.va3bb89f8a95b and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files on the controller file...

Restarting a run with revoked script approval allowed by pipeline-model-definition

pipeline-model-definition 2.2214.vbb34b2ea9b83 and earlier does not check whether the main Jenkinsfile script used to restart a build from a specific stage is approved. This allows attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer approved. NOT...

Stored XSS vulnerability in authorize-project

authorize-project 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. authorize-project 1.8.0 no longer evaluates a string...

Rebuilding a run with revoked script approval allowed by workflow-cps

workflow-cps 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3, does not check whether the main Jenkinsfile script for a rebuilt build is approved. This allows attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approved. NOTE: This...

XXE vulnerability in ivytrigger

ivytrigger 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of...

Script security sandbox bypass vulnerability in shared-library-version-override

shared-library-version-override 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs...

Session fixation vulnerability in oic-auth

oic-auth 4.418.vccc7061f5b6d and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 4.421.v5422614ebe0a invalidates the existing session on login...

Exposure of multi-line secrets through error messages in Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line...

Lack of issuer claim validation in oic-auth

oic-auth 4.354.v321ce67a1de8 and earlier does not check the iss Issuer claim of an ID Token during its authentication flow, a value that identifies the Originating Party IdP. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to...

Encrypted values of credentials revealed to users with Extended Read permission in credentials

credentials 1380.va435002fa924 and earlier, except 1371.1373.v4ebfab7161e9, does not redact encrypted values of credentials using the SecretBytes type e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin when accessing item config.xml via REST API or CLI. This...

Item creation restriction bypass vulnerability in Jenkins

Jenkins provides APIs for fine-grained control of item creation: Authorization strategies can prohibit the creation of items of a given type in a given item group ACLhasCreatePermission2. Item types can prohibit creation of new instances in a given item group...

Lack of audience claim validation in oic-auth

oic-auth 4.354.v321ce67a1de8 and earlier does not check the aud Audience claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator...

Arbitrary file read vulnerability through agent connections can lead to RCE

NOTE: This entry was updated on 2024-08-10 to add a reference to a https://github.com/jenkinsci-cert/SECURITY-3430workaround. Jenkins uses the https://github.com/jenkinsci/remotingRemoting library typically agent.jar or remoting.jar for the communication between controller and agents. This librar...

Missing permission check allows accessing other users' "My Views"

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...

Secret file credentials stored unencrypted in rare cases by plain-credentials

When creating secret file credentials plain-credentials 182.v468b97b9dcb8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be...

Exposure of secrets through system log in structs

structs provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution. When structs 337.v1b04ea4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secre...

Bitbucket OAuth access token exposed in the build log by cloudbees-bitbucket-branch-source

cloudbees-bitbucket-branch-source 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. cloudbees-bitbucket-branch-source 887.vad359b3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL i...

Stored XSS vulnerability in teamconcert-git

teamconcert-git 2.0.4 and earlier does not escape the Rational Team Concert RTC server URI on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. teamconcert-git 2.0.5 escapes the Rational Team Conce...

Missing permission checks in hp-application-automation-tools-plugin

hp-application-automation-tools-plugin 24.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations...

XXE vulnerabilities in hp-application-automation-tools-plugin

hp-application-automation-tools-plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity XXE attacks. This allows attackers able to control the input files for hp-application-automation-tools-plugin build steps and post-build steps to have Jenkins parse a crafte...

Path traversal vulnerability in report-info

report-info 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, report-info does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire...

Security protection disabled by svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier programmatically sets the Java system property hudson.model.ParametersAction.keepUndefinedParameters whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for SECURITY-170 / CVE-2016-3721. A...

Token stored in plain text by telegram-notifications

telegram-notifications 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

Missing permission check in git-server

git-server 114.v068ac7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. git-server 117.veb68868fa027 requires...

Multiple sandbox bypass vulnerabilities in script-security

script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...

Terrapin SSH vulnerability in Jenkins CLI client

The CLI client jenkins-cli.jar in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to https://vulners.com/cve/CVE-2023-48795CVE-2023-48795 https://en.wikipedia.org/wiki/TerrapinattackTerrapin attack. This vulnerability allows...

HTTP/2 denial of service vulnerability in bundled Jetty

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.443 and earlier, LTS...

Terrapin SSH vulnerability in trilead-api

trilead-api bundles the https://github.com/jenkinsci/trilead-ssh2/Jenkins project's fork of the Trilead SSH2 library for use by other plugins. trilead-api 2.133.vfb8a7b9c5dd1 and earlier, except 2.84.86.vf9c960e9b458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to...

CSRF vulnerability and missing permission check in docker-build-step

docker-build-step 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided...

Improper input sanitization in htmlpublisher

SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in htmlpublisher 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback. In htmlpublisher 1.16 through 1.32 both inclusive this fallback for reports created in htmlpublisher 1.15 and earlier does n...

SSL/TLS certificate validation disabled by default in Delphix

Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 this option is set to disable SSL/TLS certificate validation by default. In Delphix 3.0.2 this option is set to enable SSL/TLS certifica...

Path traversal vulnerability in htmlpublisher

htmlpublisher 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it...

Stored XSS vulnerability in htmlpublisher

htmlpublisher 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 1.32.1 escapes job names, report...

Missing permission checks in jenkinsci-appspider-plugin

jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...

Incorrect trust policy behavior for pull requests from forks in cloudbees-bitbucket-branch-source

Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default. In cloudbees-bitbucket-branch-source 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, this trust policy allows...

Sensitive information exposure in build logs by mq-notifier

mq-notifier has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In mq-notifier 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of...