Temporary plugin file created with insecure permissions

Jenkins creates a temporary file when a plugin is deployed directly from a URL. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they m...

CSRF vulnerability in build-failure-analyzer allows deleting Failure Causes

build-failure-analyzer 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete Failure Causes. build-failure-analyzer 2.4.2 requires POST requests for the affected HTTP...

Temporary uploaded file created with insecure permissions

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly...

XXE vulnerability in ivy

ivy 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses...

Non-constant time token comparison in google-login

google-login 1.7 and earlier does not use a constant-time comparison when checking whether the provided and expected token are equal. This could potentially allow attackers to use statistical methods to obtain a valid token. google-login 1.8 uses a constant-time comparison when validating the tok...

Improper masking of credentials in pipeline-maven

pipeline-maven integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom Maven settings, including credentials for authentication. pipeline-maven 1330.v18e473854496 and earlier does not properly mask i.e., replace with asterisks usernames of...

Incorrect permission checks in qualys-cs

qualys-cs 1.6.2.6 and earlier does not correctly perform a permission check in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate credentials IDs of credentials stored in...

SSRF vulnerability in bitbucket-push-and-pull-request allows capturing credentials

bitbucket-push-and-pull-request provides a webhook endpoint at /bitbucket-hook/ to receive webhook notifications. When acting on these notifications, bitbucket-push-and-pull-request 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses...

Non-constant time nonce comparison in azure-ad

azure-ad 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal. This could potentially allow attackers to use statistical methods to obtain a valid nonce. azure-ad...

Disabled permissions can be granted by ssh2easy

ssh2easy 1.4 and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted typically optional permissions, like Overall/Manage to access functionality they're no longer entitled to. NOTE: As a workaround, administrators can save the...

CSRF vulnerability in ivy

ivy 2.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete disabled modules. As of publication of this advisory, there is no fix. Learn why we announce this...

Path traversal allows exploiting XSS vulnerability in jobConfigHistory

jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict a name query parameter when rendering a history entry. This allows attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. The history view does not property sanitize or escape the...

Path traversal allows exploiting XXE vulnerability in jobConfigHistory

jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints. This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file...

CSRF vulnerability and missing permission check in aws-codecommit-trigger

aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...

Missing permission check in aws-codecommit-trigger allows enumerating credentials IDs

aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

HTML injection vulnerability in aws-codecommit-trigger

aws-codecommit-trigger 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses...

Stored XSS vulnerability in tap

tap 2.3 and earlier does not escape TAP file contents. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control TAP file contents. As of publication of this advisory, there is no fix. Learn why we announce this...

Disabled permissions granted by assembla-auth

assembla-auth provides an authorization strategy that defines four levels of access to Jenkins, based on the corresponding permissions in Assembla spaces: ALL, EDIT, VIEW, and NONE. assembla-auth 1.14 and earlier does not verify that the permissions it grants are enabled. This results in users wi...

CSRF vulnerability and missing permission checks in frugal-testing

frugal-testing 1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to do the following: Connect to Frugal Testing using attacker-specified username and password. Retrieve test IDs and names from Frugal Testing, if a vali...

CSRF vulnerability in cloudbees-folder

cloudbees-folder 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy a view inside a folder. cloudbees-folder 6.848.ve3bfd7839a81 requires POST requests for t...

Unsafe default behavior and information disclosure in gogs-webhook webhook

gogs-webhook provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In gogs-webhook 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default. This allows unauthenticated attackers to trigger builds of jobs...

Exposure of system-scoped credentials in delphix

delphix 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to...

Improper masking of credentials in nodejs

nodejs integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. nodejs 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in...

CSRF vulnerability in blueocean allows capturing credentials

blueocean 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. This...

CSRF vulnerability in cloudbees-folder may approve unsandboxed scripts

cloudbees-folder 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the...

Information disclosure in cloudbees-folder

cloudbees-folder displays an error message when attempting to access the Scan Organization Folder Log if no logs are available. In cloudbees-folder 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file...

Missing permission check in delphix allows enumerating credentials IDs

delphix 3.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...

HTML injection vulnerability in fortify

fortify 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected...

Improper masking of credentials in config-file-provider

config-file-provider 952.va544a6234b46 and earlier does not mask i.e., replace with asterisks credentials specified in configuration files when they're written to the build log. config-file-provider 953.v0432a802e4d2 masks credentials configured in configuration files if they appear in the build...

Exposure of system-scoped credentials in maven-artifact-choicelistprovider

maven-artifact-choicelistprovider 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials the...

Stored XSS vulnerability in shortcut-job

shortcut-job 0.4 and earlier does not escape the shortcut redirection URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure shortcut jobs. shortcut-job 0.5 escapes the shortcut redirection URL...

Non-constant time token comparison in tuleap-oauth

tuleap-oauth 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. tuleap-oauth 1.1.21 uses a constant-time comparison when...

Stored XSS vulnerability in flaky-test-handler

flaky-test-handler 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control JUnit report file contents. flaky-test-handler 1.2.3 escapes JUnit test contents...

CSRF vulnerability in favorite-view

favorite-view 5.v77a37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to add or remove views from another user's favorite views tab bar. As of publication of this advisory,...

Stored XSS vulnerability in docker-swarm

docker-swarm processes Docker responses to generate the Docker Swarm Dashboard view. docker-swarm 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting XSS vulnerability exploitable by...

CSRF vulnerability and missing permission checks in fortify allow capturing credentials

fortify 22.1.38 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CSRF vulnerability in bazaar

bazaar 1.22 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete previously created Bazaar SCM tags. As of publication of this advisory, there is no fix. Learn why we announce...

Secret displayed without masking by chef-identity

chef-identity stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in chef-identity 2.0.3 and earlier the global configuration form does not mask th...

CSRF vulnerability and missing permission check in servicenow-devops allow capturing credentials

servicenow-devops 1.38.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

CSRF vulnerability in gitlab-oauth

gitlab-oauth 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. gitlab-oauth 1.18 implements a state...

Incorrect permission checks in qualys-was allow capturing credentials

qualys-was 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...

Incorrect control flow in gradle breaks credentials masking in the build log

gradle 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception. As a result, credentials may not be masked i.e., replaced with asterisks in the build log in some circumstances. gradle 2.8.1 improves the control flow an...

Stored XSS vulnerability

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting XSS vulnerability...

Missing SSH host key validation in oracle-cloud-infrastructure-compute

oracle-cloud-infrastructure-compute 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds. oracle-cloud-infrastructure-compute 1.0.17 provides...

Open redirect vulnerability in openshift-login

openshift-login 1.1.0.227.v27e08dfb1a20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful...

Missing permission check in miniorange-saml-sp

miniorange-saml-sp 2.3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to download a string representation of the current security realm Java ObjecttoString, which potentially includes sensitive information...

Missing permission check in datadog allows capturing credentials

datadog 5.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. datadog...

Password transmitted in plain text by active-directory

active-directory allows testing a new, unsaved configuration by performing a connection test the button labeled "Test Domain". active-directory 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows...

Session fixation vulnerability in openshift-login

openshift-login 1.1.0.227.v27e08dfb1a20 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. openshift-login 1.1.0.230.v5d7030bf5432 invalidates the existing session on login...

Missing permission check in mabl-integration allows enumerating credentials IDs

mabl-integration 0.0.46 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...