1440 matches found
Stored XSS vulnerability in dependency-check-jenkins-plugin
dependency-check-jenkins-plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control workspace contents or CVE metadata...
CSRF vulnerability and missing permission checks in svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...
Stored XSS vulnerability in gitbucket
gitbucket 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Improper SSL/TLS certificate validation in Delphix
Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 through 3.1.0 both inclusive an option change from disabled validation to enabled validation fails to take effect until Jenkins is...
Stored XSS vulnerability in build-monitor-plugin
build-monitor-plugin 1.14-860.vd06ef2568b3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we...
Stored XSS vulnerability in icescrum
icescrum 1.1.6 and earlier does not sanitize iceScrum project URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Incorrect permission checks in qualys-pc allow capturing credentials
qualys-pc 1.0.5 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to connect to an attacker-specified URL using attacker-specified credential...
Arbitrary file read vulnerability through the CLI can lead to RCE
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature...
Shared projects are unconditionally discovered by gitlab-branch-source
GitLab allows sharing a project with another group. gitlab-branch-source 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group. This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins...
Path traversal vulnerability in matrix-project
matrix-project 822.v01b8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the config.xml REST API endpoint. This allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file...
Arbitrary file read vulnerability in git-server can lead to RCE
git-server uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's...
XXE vulnerability in qualys-pc
qualys-pc 1.0.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure jobs to have Jenkins parse a crafted HTTP response with XML data that uses external entities for extraction of secrets from the Jenkins controller or...
Stored XSS vulnerability in qualys-pc
qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuratio...
Non-constant time webhook token comparison in gitlab-branch-source
gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-branch-source...
CSRF vulnerability in gitlab-branch-source
gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. gitlab-branch-source 688.v5fa356ee8520...
Arbitrary file read vulnerability in log-command
log-command uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing commands received via instant messaging platforms such as IRC or Jabber. This command parser has a feature that replaces an @ character followed by...
Content-Security-Policy protection for user content disabled by redhat-dependency-analytics
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. redhat-dependency-analytics 0.7.1 and earlier globally disables the...
Cross-site WebSocket hijacking vulnerability in the CLI
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Open redirect vulnerability in oic-auth
oic-auth 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication o...
DoS vulnerability in analysis-model-api
analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...
Tokens stored and displayed in plain text by dingding-json-pusher
dingding-json-pusher 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
Password stored in a recoverable format by oic-auth
oic-auth provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins. In oic-auth 2.6 and earlier the password to that account is stored in a recoverable format. This allows attackers with access to the Jenkins...
Arbitrary file deletion vulnerability in scriptler
scriptler 342.v6a89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. scriptler 344.v5addb5f9e685 ensures that the file being deleted is...
CSRF vulnerability and missing permission checks in Nexus Platform allow XXE
Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin does not configure its X...
Missing permission check in scriptler
scriptler 342.v6a89fd40f466 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID. scriptler 344.v5addb5f9e685 requires the appropriate permission to read the contents of a...
CSRF vulnerability and missing permission checks in Nexus Platform allow capturing credentials
Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
CSRF vulnerability in ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability in htmlresource allows deleting arbitrary files
htmlresource 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission checks in paaslane-estimate
paaslane-estimate 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. Additionally, these HTTP endpoints do not require POST requests, resultin...
Tokens stored and displayed in plain text by paaslane-estimate
paaslane-estimate 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionall...
CSRF vulnerability and missing permission checks in neuvector-vulnerability-scanner
neuvector-vulnerability-scanner 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP...
Exposure of system-scoped credentials in jira
jira 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. jira...
Incorrect permission checks in google-compute-engine
google-compute-engine 4.550.vb327fca3db11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate system-scoped...
CSRF vulnerabilities and missing permission checks in matlab allow XXE
matlab determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. matlab 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation...
Stored XSS vulnerability in trac
trac 1.13 and earlier does not escape the Trac website URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Exposure of token through logs in lambdatest-automation
lambdatest-automation 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level. This can result in accidental exposure of the token through the default system log. lambdatest-automation 1.21.0 no longer logs LAMBDATEST Credentials access token...
Non-constant time webhook token comparison in multibranch-scan-webhook-trigger
multibranch-scan-webhook-trigger 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory...
Arbitrary file read vulnerability in electricflow
electricflow temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller whe...
Missing permission check in lambdatest-automation allows enumerating credentials IDs
lambdatest-automation 1.20.9 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
Exposure of system-scoped credentials in warnings-ng
warnings-ng 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled t...
Non-constant time webhook token comparison in gogs-webhook
gogs-webhook 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix...
Non-constant time webhook token comparison in teams-webhook-trigger
teams-webhook-trigger 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is ...
Stored XSS vulnerability in github
github 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. github 1.37.3.1 escapes GitHub project URL on the build page when showi...
Non-constant time webhook token hash comparison in zanata
zanata 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix...
Arbitrary file deletion vulnerability in electricflow
In electricflow, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup...
HTTP/2 denial of service vulnerabilities in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.427 and earlier, LTS...
CSRF vulnerability and missing permission check in build-failure-analyzer allow SSRF
build-failure-analyzer 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoin...
Stored XSS vulnerability in build-failure-analyzer
build-failure-analyzer 2.4.1 and earlier does not escape Failure Cause names in build logs. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create or update Failure Causes. build-failure-analyzer 2.4.2 escapes Failure Cause names in build logs...
Builds can be filtered by values of sensitive build variables
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc. Jenkins 2.50 through 2.423 both inclusive, LTS 2.60.1 through 2.414.1 both inclusive does not exclude sensitive build variables...
Stored XSS vulnerability
ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote. This results in a stored...