CSRF vulnerability in wso2id-oauth

wso2id-oauth 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this advisory, ther...

CSRF vulnerability in lucene-search

lucene-search 387.v938aecbf7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to reindex the database. As of publication of this advisory, there is no fix. Learn why we announce th...

Missing permission check in thycotic-secret-server allows enumerating credentials IDs

thycotic-secret-server 1.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Stored XSS vulnerability in quayio-trigger

quayio-trigger 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads. As of publication of thi...

Lack of authentication mechanism in fogbugz webhook

fogbugz provides a webhook endpoint at /fbTrigger/ that can be used to trigger builds of any jobs. In fogbugz 2.2.17 and earlier, this endpoint can be accessed by attackers with Item/Read permission, allowing them to trigger builds of jobs specified in a jobname request parameter. As of publicati...

Lack of authentication mechanism in assembla-merge-request-builder webhook

assembla-merge-request-builder provides a webhook endpoint at /assembla-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In assembla-merge-request-builder 1.1.13 and earlier, this endpoint can be accessed without authentication. This allows...

Lack of authentication mechanism in quayio-trigger webhook

quayio-trigger provides a webhook endpoint at /quayio-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In quayio-trigger 0.1 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of...

Tokens stored and displayed in plain text by reportportal

reportportal 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the...

Improper masking of credentials in multiple plugins

Multiple plugins do not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent typically inside a node block. Push mode for...

SSL/TLS certificate validation unconditionally disabled by neuvector-vulnerability-scanner

neuvector-vulnerability-scanner 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. As of publication of this advisory, there is no fix. Learn why we announce this...

Disabled SSL/TLS certificate validation for existing configurations in image-tag-parameter

image-tag-parameter 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries. Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default. As of publication of...

Lack of authentication mechanism in spoonscript webhook

spoonscript provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In spoonscript 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the...

Client secret stored and displayed in plain text by wso2id-oauth

wso2id-oauth 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This client secret can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration fo...

CSRF vulnerability and missing permission check in reportportal

reportportal 0.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. Additionally, this form validation method doe...

Token stored and displayed in plain text by consul-kv-builder

consul-kv-builder 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

XXE vulnerability in remote-jobs-view-plugin

remote-jobs-view-plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the...

XXE vulnerability in phabricator-plugin

phabricator-plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external...

XXE vulnerability in absint-a3

absint-a3 1.1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control 'Project File APX' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controlle...

CSRF vulnerability in convert-to-pipeline results in RCE

convert-to-pipeline 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with...

CSRF vulnerability and missing permission checks in octoperf

octoperf 4.5.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials. Additionally, these endpoints do not require POST requests,...

Incorrect permission checks in role-strategy

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them e.g., Overall/Administer or Item/Configure. role-strategy...

Missing permission check in octoperf allows enumerating credentials IDs

octoperf 4.5.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...

Missing permission check in octoperf

octoperf 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

Stored XSS vulnerability in jacoco

jacoco 3.3.2 and earlier does not escape class and method names shown on the UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. jacoco 3.3.2.1 escapes class and method...

CSRF vulnerability in octoperf

octoperf 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anothe...

Stored XSS vulnerability in pipeline-aggregator-view

pipeline-aggregator-view 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript. This results in a stored cross-site scripting XSS vulnerability exploitable by authenticated attackers with Overall/Read permission. pipeline-aggregator-view 1.14 obtains...

Command injection vulnerability in convert-to-pipeline results in RCE

convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...

XXE vulnerability in vs-code-metrics

vs-code-metrics 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...

XXE vulnerability in crap4j

crap4j 0.9 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or...

Stored XSS vulnerability in Mashup Portlets

Mashup Portlets 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression. This results in a stored cross-site scripting XSS vulnerability exploitable by authenticated attackers with Overall/Read permission. As of...

Stored XSS vulnerability in cppcheck

cppcheck 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control report file contents. As of publication of this advisory, there is no fix...

XXE vulnerability in perfpublisher

perfpublisher 8.09 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...

Information disclosure through error stack traces related to agents

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 do...

Workspace temporary directories accessible through directory browser

Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically...

DoS vulnerability in bundled Apache Commons FileUpload library

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier is affected by the Apache Commons FileUpload library's vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-24998CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework usually through StaplerRequestgetFile...

XSS vulnerability in plugin manager

Jenkins 2.270 through 2.393 both inclusive, LTS 2.277.1 through 2.375.3 both inclusive does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This results in a stored cross-sit...

XSS vulnerability in update-center2

https://github.com/jenkins-infra/update-center2/update-center2 is the tool used to generate the Jenkins update sites hosted on updates.jenkins.io. NOTE: While it is designed for use by the Jenkins project for this purpose, others may be using it to operate their own self-hosted update sites...

Temporary file parameter created with insecure permissions

When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI's standard input. Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates this temporary file in the default temporary directory with the default...

Temporary plugin file created with insecure permissions

Jenkins creates a temporary file when a plugin is uploaded from an administrator's computer. Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly...

Missing permission checks in azure-credentials allow enumerating credentials IDs

azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...

CSRF vulnerability and missing permission checks in synopsys-coverity allow capturing credentials

synopsys-coverity 3.0.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...

Missing permission checks in synopsys-coverity allow enumerating credentials IDs

synopsys-coverity 3.0.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

CSRF vulnerability and missing permission checks in azure-credentials

azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified web server. Additionally, these form validation methods do not require POST requests,...

Stored XSS vulnerability in pipeline-build-step

pipeline-build-step 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control job names. pipeline-build-step 2.18.1 escapes job names in the...

Stored XSS vulnerability in custom email templates in email-ext

email-ext allows defining custom email templates using https://plugins.jenkins.io/config-file-provider/Config File Provider plugin as Jelly or Groovy files. The Email Template Testing feature can be used to see what these templates would look like based on a given build by specifying the managed:...

Script Security sandbox bypass vulnerability in email-ext

email-ext allows defining custom email templates using https://plugins.jenkins.io/config-file-provider/Config File Provider plugin as Jelly or Groovy files. When defined inside a https://plugins.jenkins.io/cloudbees-folder/folder, email templates need to be subject to Script Security protection...

XSS vulnerability in bundled email templates in email-ext

email-ext bundled multiple preconfigured templates for notification emails. The Email Template Testing feature can be used to see what these and other templates would look like based on a given build. email-ext 2.93 and earlier does not escape various fields included in those email templates, lik...

Stored XSS vulnerability in junit

junit 1166.va436e268e972 and earlier does not escape test case class names in JavaScript expressions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin. junit...

Git releases with critical vulnerabilities on Jenkins Docker images

The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...

Agent-to-controller security bypass in semantic-versioning-plugin

semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and its XML parser is not configured to prevent XML external entity XXE attacks. semantic-versioning-plugin 1.14 and earlier does not restrict execution of the controller/agent message to agents, and...