1464 matches found
Arbitrary file read vulnerability through agent connections can lead to RCE
NOTE: This entry was updated on 2024-08-10 to add a reference to a https://github.com/jenkinsci-cert/SECURITY-3430workaround. Jenkins uses the https://github.com/jenkinsci/remotingRemoting library typically agent.jar or remoting.jar for the communication between controller and agents. This librar...
Missing permission check allows accessing other users' "My Views"
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...
Exposure of secrets through system log in structs
structs provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution. When structs 337.v1b04ea4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secre...
Secret file credentials stored unencrypted in rare cases by plain-credentials
When creating secret file credentials plain-credentials 182.v468b97b9dcb8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be...
Bitbucket OAuth access token exposed in the build log by cloudbees-bitbucket-branch-source
cloudbees-bitbucket-branch-source 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. cloudbees-bitbucket-branch-source 887.vad359b3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL i...
Stored XSS vulnerability in teamconcert-git
teamconcert-git 2.0.4 and earlier does not escape the Rational Team Concert RTC server URI on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. teamconcert-git 2.0.5 escapes the Rational Team Conce...
XXE vulnerabilities in hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity XXE attacks. This allows attackers able to control the input files for hp-application-automation-tools-plugin build steps and post-build steps to have Jenkins parse a crafte...
Missing permission checks in hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 24.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations...
Path traversal vulnerability in report-info
report-info 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, report-info does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire...
Missing permission check in git-server
git-server 114.v068ac7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. git-server 117.veb68868fa027 requires...
Multiple sandbox bypass vulnerabilities in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Token stored in plain text by telegram-notifications
telegram-notifications 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...
Security protection disabled by svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier programmatically sets the Java system property hudson.model.ParametersAction.keepUndefinedParameters whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for SECURITY-170 / CVE-2016-3721. A...
Terrapin SSH vulnerability in Jenkins CLI client
The CLI client jenkins-cli.jar in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to https://vulners.com/cve/CVE-2023-48795CVE-2023-48795 https://en.wikipedia.org/wiki/TerrapinattackTerrapin attack. This vulnerability allows...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.443 and earlier, LTS...
Improper input sanitization in htmlpublisher
SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in htmlpublisher 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback. In htmlpublisher 1.16 through 1.32 both inclusive this fallback for reports created in htmlpublisher 1.15 and earlier does n...
Incorrect trust policy behavior for pull requests from forks in cloudbees-bitbucket-branch-source
Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default. In cloudbees-bitbucket-branch-source 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, this trust policy allows...
Stored XSS vulnerability in dependency-check-jenkins-plugin
dependency-check-jenkins-plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control workspace contents or CVE metadata...
Missing permission checks in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...
SSL/TLS certificate validation disabled by default in Delphix
Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 this option is set to disable SSL/TLS certificate validation by default. In Delphix 3.0.2 this option is set to enable SSL/TLS certifica...
Improper SSL/TLS certificate validation in Delphix
Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 through 3.1.0 both inclusive an option change from disabled validation to enabled validation fails to take effect until Jenkins is...
CSRF vulnerability and missing permission check in docker-build-step
docker-build-step 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided...
CSRF vulnerability and missing permission checks in svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...
Terrapin SSH vulnerability in trilead-api
trilead-api bundles the https://github.com/jenkinsci/trilead-ssh2/Jenkins project's fork of the Trilead SSH2 library for use by other plugins. trilead-api 2.133.vfb8a7b9c5dd1 and earlier, except 2.84.86.vf9c960e9b458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to...
Stored XSS vulnerability in htmlpublisher
htmlpublisher 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 1.32.1 escapes job names, report...
Path traversal vulnerability in htmlpublisher
htmlpublisher 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it...
Sensitive information exposure in build logs by mq-notifier
mq-notifier has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In mq-notifier 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of...
Stored XSS vulnerability in build-monitor-plugin
build-monitor-plugin 1.14-860.vd06ef2568b3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we...
Stored XSS vulnerability in gitbucket
gitbucket 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in icescrum
icescrum 1.1.6 and earlier does not sanitize iceScrum project URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Arbitrary file read vulnerability in git-server can lead to RCE
git-server uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's...
Non-constant time webhook token comparison in gitlab-branch-source
gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-branch-source...
Stored XSS vulnerability in qualys-pc
qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuratio...
Incorrect permission checks in qualys-pc allow capturing credentials
qualys-pc 1.0.5 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to connect to an attacker-specified URL using attacker-specified credential...
Arbitrary file read vulnerability through the CLI can lead to RCE
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature...
Cross-site WebSocket hijacking vulnerability in the CLI
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Path traversal vulnerability in matrix-project
matrix-project 822.v01b8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the config.xml REST API endpoint. This allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file...
Shared projects are unconditionally discovered by gitlab-branch-source
GitLab allows sharing a project with another group. gitlab-branch-source 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group. This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins...
CSRF vulnerability in gitlab-branch-source
gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. gitlab-branch-source 688.v5fa356ee8520...
XXE vulnerability in qualys-pc
qualys-pc 1.0.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure jobs to have Jenkins parse a crafted HTTP response with XML data that uses external entities for extraction of secrets from the Jenkins controller or...
Content-Security-Policy protection for user content disabled by redhat-dependency-analytics
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. redhat-dependency-analytics 0.7.1 and earlier globally disables the...
Arbitrary file read vulnerability in log-command
log-command uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing commands received via instant messaging platforms such as IRC or Jabber. This command parser has a feature that replaces an @ character followed by...
DoS vulnerability in analysis-model-api
analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...
CSRF vulnerability and missing permission checks in Nexus Platform allow XXE
Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin does not configure its X...
CSRF vulnerability and missing permission checks in Nexus Platform allow capturing credentials
Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
Password stored in a recoverable format by oic-auth
oic-auth provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins. In oic-auth 2.6 and earlier the password to that account is stored in a recoverable format. This allows attackers with access to the Jenkins...
Tokens stored and displayed in plain text by paaslane-estimate
paaslane-estimate 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionall...
CSRF vulnerability and missing permission checks in paaslane-estimate
paaslane-estimate 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. Additionally, these HTTP endpoints do not require POST requests, resultin...
Arbitrary file deletion vulnerability in scriptler
scriptler 342.v6a89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. scriptler 344.v5addb5f9e685 ensures that the file being deleted is...
Missing permission check in scriptler
scriptler 342.v6a89fd40f466 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID. scriptler 344.v5addb5f9e685 requires the appropriate permission to read the contents of a...