1464 matches found
Open redirect vulnerability in oic-auth
oic-auth 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication o...
Tokens stored and displayed in plain text by dingding-json-pusher
dingding-json-pusher 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
CSRF vulnerability in htmlresource allows deleting arbitrary files
htmlresource 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability in ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Incorrect permission checks in google-compute-engine
google-compute-engine 4.550.vb327fca3db11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate system-scoped...
CSRF vulnerabilities and missing permission checks in matlab allow XXE
matlab determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. matlab 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation...
Exposure of system-scoped credentials in jira
jira 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. jira...
CSRF vulnerability and missing permission checks in neuvector-vulnerability-scanner
neuvector-vulnerability-scanner 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP...
Stored XSS vulnerability in github
github 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. github 1.37.3.1 escapes GitHub project URL on the build page when showi...
Exposure of system-scoped credentials in warnings-ng
warnings-ng 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled t...
Missing permission check in lambdatest-automation allows enumerating credentials IDs
lambdatest-automation 1.20.9 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
Exposure of token through logs in lambdatest-automation
lambdatest-automation 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level. This can result in accidental exposure of the token through the default system log. lambdatest-automation 1.21.0 no longer logs LAMBDATEST Credentials access token...
Arbitrary file deletion vulnerability in electricflow
In electricflow, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup...
Arbitrary file read vulnerability in electricflow
electricflow temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller whe...
Non-constant time webhook token comparison in multibranch-scan-webhook-trigger
multibranch-scan-webhook-trigger 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory...
Non-constant time webhook token comparison in teams-webhook-trigger
teams-webhook-trigger 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is ...
Non-constant time webhook token comparison in gogs-webhook
gogs-webhook 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in trac
trac 1.13 and earlier does not escape the Trac website URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Non-constant time webhook token hash comparison in zanata
zanata 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix...
HTTP/2 denial of service vulnerabilities in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.427 and earlier, LTS...
Stored XSS vulnerability
ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote. This results in a stored...
Temporary plugin file created with insecure permissions
Jenkins creates a temporary file when a plugin is deployed directly from a URL. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they m...
Temporary uploaded file created with insecure permissions
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly...
Stored XSS vulnerability in build-failure-analyzer
build-failure-analyzer 2.4.1 and earlier does not escape Failure Cause names in build logs. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create or update Failure Causes. build-failure-analyzer 2.4.2 escapes Failure Cause names in build logs...
CSRF vulnerability and missing permission check in build-failure-analyzer allow SSRF
build-failure-analyzer 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoin...
CSRF vulnerability in build-failure-analyzer allows deleting Failure Causes
build-failure-analyzer 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete Failure Causes. build-failure-analyzer 2.4.2 requires POST requests for the affected HTTP...
Builds can be filtered by values of sensitive build variables
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc. Jenkins 2.50 through 2.423 both inclusive, LTS 2.60.1 through 2.414.1 both inclusive does not exclude sensitive build variables...
Path traversal allows exploiting XSS vulnerability in jobConfigHistory
jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict a name query parameter when rendering a history entry. This allows attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. The history view does not property sanitize or escape the...
Path traversal allows exploiting XXE vulnerability in jobConfigHistory
jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints. This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file...
Non-constant time nonce comparison in azure-ad
azure-ad 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal. This could potentially allow attackers to use statistical methods to obtain a valid nonce. azure-ad...
Incorrect permission checks in qualys-cs
qualys-cs 1.6.2.6 and earlier does not correctly perform a permission check in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate credentials IDs of credentials stored in...
CSRF vulnerability and missing permission check in aws-codecommit-trigger
aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...
Disabled permissions granted by assembla-auth
assembla-auth provides an authorization strategy that defines four levels of access to Jenkins, based on the corresponding permissions in Assembla spaces: ALL, EDIT, VIEW, and NONE. assembla-auth 1.14 and earlier does not verify that the permissions it grants are enabled. This results in users wi...
Improper masking of credentials in pipeline-maven
pipeline-maven integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom Maven settings, including credentials for authentication. pipeline-maven 1330.v18e473854496 and earlier does not properly mask i.e., replace with asterisks usernames of...
Non-constant time token comparison in google-login
google-login 1.7 and earlier does not use a constant-time comparison when checking whether the provided and expected token are equal. This could potentially allow attackers to use statistical methods to obtain a valid token. google-login 1.8 uses a constant-time comparison when validating the tok...
SSRF vulnerability in bitbucket-push-and-pull-request allows capturing credentials
bitbucket-push-and-pull-request provides a webhook endpoint at /bitbucket-hook/ to receive webhook notifications. When acting on these notifications, bitbucket-push-and-pull-request 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses...
XXE vulnerability in ivy
ivy 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses...
CSRF vulnerability in ivy
ivy 2.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete disabled modules. As of publication of this advisory, there is no fix. Learn why we announce this...
Disabled permissions can be granted by ssh2easy
ssh2easy 1.4 and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted typically optional permissions, like Overall/Manage to access functionality they're no longer entitled to. NOTE: As a workaround, administrators can save the...
Stored XSS vulnerability in tap
tap 2.3 and earlier does not escape TAP file contents. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control TAP file contents. As of publication of this advisory, there is no fix. Learn why we announce this...
Missing permission check in aws-codecommit-trigger allows enumerating credentials IDs
aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
HTML injection vulnerability in aws-codecommit-trigger
aws-codecommit-trigger 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses...
CSRF vulnerability and missing permission checks in frugal-testing
frugal-testing 1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to do the following: Connect to Frugal Testing using attacker-specified username and password. Retrieve test IDs and names from Frugal Testing, if a vali...
CSRF vulnerability in cloudbees-folder
cloudbees-folder 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy a view inside a folder. cloudbees-folder 6.848.ve3bfd7839a81 requires POST requests for t...
Information disclosure in cloudbees-folder
cloudbees-folder displays an error message when attempting to access the Scan Organization Folder Log if no logs are available. In cloudbees-folder 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file...
Improper masking of credentials in nodejs
nodejs integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. nodejs 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in...
CSRF vulnerability in blueocean allows capturing credentials
blueocean 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. This...
HTML injection vulnerability in fortify
fortify 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected...
Stored XSS vulnerability in flaky-test-handler
flaky-test-handler 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control JUnit report file contents. flaky-test-handler 1.2.3 escapes JUnit test contents...
Non-constant time token comparison in tuleap-oauth
tuleap-oauth 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. tuleap-oauth 1.1.21 uses a constant-time comparison when...