1464 matches found
CSRF vulnerability and missing permission checks in codedx
codedx 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Missing permission checks in codedx
codedx 3.1.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system. codedx 4.0.0 requires Item/Configure permission for this fo...
CSRF vulnerability and missing permission check in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified...
Credentials displayed without masking by cavisson-ns-nd-integration
cavisson-ns-nd-integration stores credentials in job config.xml files on the Jenkins controller as part of its configuration. While these credentials are stored encrypted on disk, in cavisson-ns-nd-integration 4.8.0.149 and earlier, the job configuration form does not mask these credentials,...
CSRF vulnerability and missing permission checks in tag-profiler
tag-profiler 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As ...
CSRF vulnerability in wso2id-oauth
wso2id-oauth 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this advisory, ther...
CSRF vulnerability in ldap
ldap 673.v034ec70ec2bb and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. ldap...
Missing permission check in email-ext
email-ext 2.96 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system. This form...
Arbitrary file write vulnerability on agents in pipeline-utility-steps
pipeline-utility-steps provides the untar and unzip Pipeline steps to extract archives into job workspaces. pipeline-utility-steps 2.15.2 and earlier does not validate or limit file paths of files contained within these archives. This allows attackers able to provide crafted archives as parameter...
Stored XSS vulnerability in testng-plugin
testng-plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide a crafted TestNG repor...
Arbitrary file write vulnerability in file-parameters
file-parameters 285.v757c5b67ac25 and earlier does not restrict the name and resulting uploaded file name of Stashed File Parameters. This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content...
CSRF vulnerability in reverse-proxy-auth-plugin
reverse-proxy-auth-plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
Missing permission check in azure-vm-agents allows enumerating credentials IDs
azure-vm-agents 852.v8d35f0960a43 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in azure-vm-agents
azure-vm-agents 852.v8d35f0960a43 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method...
CSRF vulnerability and missing permission checks in miniorange-saml-sp allow XXE
miniorange-saml-sp 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML. As the...
Missing hostname validation in miniorange-saml-sp
miniorange-saml-sp 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. miniorange-saml-sp 2.1.0 performs...
CSRF vulnerability and missing permission check in miniorange-saml-sp
miniorange-saml-sp 2.0.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails. Additionally, this HTTP...
API keys stored and displayed in plain text by codedx
codedx 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
Improper masking of credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 360.v0a1c04cf807d and earlier does not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent...
Stored XSS vulnerability in TestComplete
TestComplete 2.8.1 and earlier does not escape the TestComplete project name in its test result page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce...
Session fixation vulnerability in wso2id-oauth
wso2id-oauth 1.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in loadcomplete
loadcomplete 1.0 and earlier does not escape the LoadComplete test name in its test result page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in workflow-job
workflow-job 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set build display...
Secrets stored and displayed in plain text by ansible
ansible allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets. ansible 204.v8191fd551ebf and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration...
CSRF vulnerability in email-ext
email-ext 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to make another user stop watching an attacker-specified job. email-ext 2.96.1 requires POST requests for the affected HTTP endpoint...
Improper masking of credentials in multiple plugins
Multiple plugins do not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent typically inside a node block. Push mode for...
Disabled SSL/TLS certificate validation for existing configurations in image-tag-parameter
image-tag-parameter 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries. Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default. As of publication of...
Missing permission check in thycotic-secret-server allows enumerating credentials IDs
thycotic-secret-server 1.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Lack of authentication mechanism in quayio-trigger webhook
quayio-trigger provides a webhook endpoint at /quayio-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In quayio-trigger 0.1 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of...
Stored XSS vulnerability in quayio-trigger
quayio-trigger 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads. As of publication of thi...
Lack of authentication mechanism in assembla-merge-request-builder webhook
assembla-merge-request-builder provides a webhook endpoint at /assembla-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In assembla-merge-request-builder 1.1.13 and earlier, this endpoint can be accessed without authentication. This allows...
Lack of authentication mechanism in fogbugz webhook
fogbugz provides a webhook endpoint at /fbTrigger/ that can be used to trigger builds of any jobs. In fogbugz 2.2.17 and earlier, this endpoint can be accessed by attackers with Item/Read permission, allowing them to trigger builds of jobs specified in a jobname request parameter. As of publicati...
Tokens stored and displayed in plain text by reportportal
reportportal 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the...
CSRF vulnerability and missing permission check in reportportal
reportportal 0.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. Additionally, this form validation method doe...
Client secret stored and displayed in plain text by wso2id-oauth
wso2id-oauth 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This client secret can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration fo...
CSRF vulnerability in lucene-search
lucene-search 387.v938aecbf7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to reindex the database. As of publication of this advisory, there is no fix. Learn why we announce th...
Token stored and displayed in plain text by consul-kv-builder
consul-kv-builder 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...
Lack of authentication mechanism in spoonscript webhook
spoonscript provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In spoonscript 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the...
SSL/TLS certificate validation unconditionally disabled by neuvector-vulnerability-scanner
neuvector-vulnerability-scanner 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. As of publication of this advisory, there is no fix. Learn why we announce this...
Incorrect permission checks in role-strategy
Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them e.g., Overall/Administer or Item/Configure. role-strategy...
Stored XSS vulnerability in jacoco
jacoco 3.3.2 and earlier does not escape class and method names shown on the UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. jacoco 3.3.2.1 escapes class and method...
Missing permission check in octoperf
octoperf 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Command injection vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...
XXE vulnerability in crap4j
crap4j 0.9 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or...
XXE vulnerability in vs-code-metrics
vs-code-metrics 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
XXE vulnerability in perfpublisher
perfpublisher 8.09 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
XXE vulnerability in phabricator-plugin
phabricator-plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external...
XXE vulnerability in remote-jobs-view-plugin
remote-jobs-view-plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the...
XXE vulnerability in absint-a3
absint-a3 1.1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control 'Project File APX' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controlle...
Stored XSS vulnerability in pipeline-aggregator-view
pipeline-aggregator-view 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript. This results in a stored cross-site scripting XSS vulnerability exploitable by authenticated attackers with Overall/Read permission. pipeline-aggregator-view 1.14 obtains...