1464 matches found
XXE vulnerability in phabricator-plugin
phabricator-plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external...
XXE vulnerability in vs-code-metrics
vs-code-metrics 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
XXE vulnerability in absint-a3
absint-a3 1.1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control 'Project File APX' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controlle...
Command injection vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...
Missing permission check in octoperf
octoperf 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Stored XSS vulnerability in jacoco
jacoco 3.3.2 and earlier does not escape class and method names shown on the UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. jacoco 3.3.2.1 escapes class and method...
XSS vulnerability in plugin manager
Jenkins 2.270 through 2.393 both inclusive, LTS 2.277.1 through 2.375.3 both inclusive does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This results in a stored cross-sit...
Temporary plugin file created with insecure permissions
Jenkins creates a temporary file when a plugin is uploaded from an administrator's computer. Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly...
DoS vulnerability in bundled Apache Commons FileUpload library
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier is affected by the Apache Commons FileUpload library's vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-24998CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework usually through StaplerRequestgetFile...
Workspace temporary directories accessible through directory browser
Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically...
Temporary file parameter created with insecure permissions
When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI's standard input. Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates this temporary file in the default temporary directory with the default...
Information disclosure through error stack traces related to agents
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 do...
XSS vulnerability in update-center2
https://github.com/jenkins-infra/update-center2/update-center2 is the tool used to generate the Jenkins update sites hosted on updates.jenkins.io. NOTE: While it is designed for use by the Jenkins project for this purpose, others may be using it to operate their own self-hosted update sites...
Stored XSS vulnerability in junit
junit 1166.va436e268e972 and earlier does not escape test case class names in JavaScript expressions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin. junit...
Stored XSS vulnerability in pipeline-build-step
pipeline-build-step 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control job names. pipeline-build-step 2.18.1 escapes job names in the...
XSS vulnerability in bundled email templates in email-ext
email-ext bundled multiple preconfigured templates for notification emails. The Email Template Testing feature can be used to see what these and other templates would look like based on a given build. email-ext 2.93 and earlier does not escape various fields included in those email templates, lik...
Stored XSS vulnerability in custom email templates in email-ext
email-ext allows defining custom email templates using https://plugins.jenkins.io/config-file-provider/Config File Provider plugin as Jelly or Groovy files. The Email Template Testing feature can be used to see what these templates would look like based on a given build by specifying the managed:...
Script Security sandbox bypass vulnerability in email-ext
email-ext allows defining custom email templates using https://plugins.jenkins.io/config-file-provider/Config File Provider plugin as Jelly or Groovy files. When defined inside a https://plugins.jenkins.io/cloudbees-folder/folder, email templates need to be subject to Script Security protection...
Missing permission checks in azure-credentials allow enumerating credentials IDs
azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
CSRF vulnerability and missing permission checks in azure-credentials
azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified web server. Additionally, these form validation methods do not require POST requests,...
Missing permission checks in synopsys-coverity allow enumerating credentials IDs
synopsys-coverity 3.0.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in synopsys-coverity allow capturing credentials
synopsys-coverity 3.0.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stor...
Git releases with critical vulnerabilities on Jenkins Docker images
The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...
CSRF vulnerability and missing permission check in testquality-updater
testquality-updater 1.3 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method do...
XXE vulnerability on agents in semantic-versioning-plugin
semantic-versioning-plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the version file for the 'Determine Semantic Version' build step to have agent processes parse a crafted file that uses...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
CSRF vulnerability in gerrit-trigger
gerrit-trigger 2.38.0 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild previous builds triggered by Gerrit. gerrit-trigger 2.38.1 requires POST requests for the...
Session fixation vulnerability in oic-auth
oic-auth 2.4 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 2.5 invalidates the existing session on login...
Exposure of system-scoped Kubernetes credentials in kubernetes-credentials-provider
kubernetes-credentials-provider 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and...
Session fixation vulnerability in azure-ad
azure-ad 303.va91ef20ee49f and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. azure-ad 306.va7083923fd50 invalidates the existing session on login...
Session fixation vulnerability in bitbucket-oauth
bitbucket-oauth 0.12 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. bitbucket-oauth 0.13 invalidates the existing session on login...
CSRF vulnerability in bitbucket-oauth
bitbucket-oauth 0.12 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. bitbucket-oauth 0.13 implements a...
Agent-to-controller security bypass in semantic-versioning-plugin
semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and its XML parser is not configured to prevent XML external entity XXE attacks. semantic-versioning-plugin 1.14 and earlier does not restrict execution of the controller/agent message to agents, and...
Missing permission checks in macstadium-orka allow enumerating credentials IDs
macstadium-orka 1.31 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in macstadium-orka allow capturing credentials
macstadium-orka 1.31 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored ...
Missing permission check in ghprb allows enumerating credentials IDs
ghprb 1.42.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of...
CSRF vulnerability and missing permission checks in ghprb
ghprb 1.42.2 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
CSRF vulnerability and missing permission checks in jira-steps
jira-steps 2.0.165.v8846cf59f3db and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Keys stored in plain text by jira-steps
jira-steps 2.0.165.v8846cf59f3db and earlier stores the private key unencrypted in its global configuration file org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller...
XXE vulnerability on agents in mstest
mstest 1.0.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish MSTest test result report' post-build step to have agent processes parse a crafted file that uses external...
Credentials stored in plain text by github-pr-coverage-status
github-pr-coverage-status 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file com.github.terma.jenkins.githubprcoveragestatus.Configuration.xml on the Jenkins controller as part of its configuration. These...
Session fixation vulnerability in Keycloak Authentication
Keycloak Authentication 2.3.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability in Keycloak Authentication
Keycloak Authentication 2.3.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this...
XXE vulnerability in TestComplete
TestComplete 2.8.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the zip archive input file for the 'TestComplete Test' build step to have Jenkins parse a crafted file that uses external entities for extraction of...
Session fixation vulnerability in openid
openid 2.4 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...
Open redirect vulnerability in openid
openid 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication of...
CSRF vulnerability in openid
openid 2.4 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this advisory, there is n...
CSRF vulnerability and missing permission check in rabbitmq-consumer
rabbitmq-consumer 2.8 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified AMQP server using attacker-specified username and password. Additionally, this form validation...
Path traversal vulnerability in pwauth
pwauth 0.4 and earlier does not restrict the names of files in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. As of publication of this advisory, there is...
Passwords stored in plain text by view-cloner
view-cloner 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...