CSRF vulnerability and missing permission checks in macstadium-orka allow capturing credentials

macstadium-orka 1.31 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored ...

CSRF vulnerability and missing permission checks in ghprb

ghprb 1.42.2 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

CSRF vulnerability and missing permission check in testquality-updater

testquality-updater 1.3 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method do...

Path traversal vulnerability in visualexpert

visualexpert 1.3 and earlier does not restrict the names of files in methods implementing form validation. This allows attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. As of publication of this advisory,...

Sandbox bypass vulnerability in script-security

script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...

Missing permission checks in cisco-spark-notifier allow enumerating credentials IDs

cisco-spark-notifier 1.1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Passwords stored in plain text by view-cloner

view-cloner 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...

CSRF vulnerability and missing permission check in rabbitmq-consumer

rabbitmq-consumer 2.8 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified AMQP server using attacker-specified username and password. Additionally, this form validation...

CSRF vulnerability in openid

openid 2.4 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this advisory, there is n...

Open redirect vulnerability in openid

openid 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication of...

Session fixation vulnerability in openid

openid 2.4 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...

Session fixation vulnerability in Keycloak Authentication

Keycloak Authentication 2.3.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...

Credentials stored in plain text by github-pr-coverage-status

github-pr-coverage-status 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file com.github.terma.jenkins.githubprcoveragestatus.Configuration.xml on the Jenkins controller as part of its configuration. These...

Session fixation vulnerability in azure-ad

azure-ad 303.va91ef20ee49f and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. azure-ad 306.va7083923fd50 invalidates the existing session on login...

Session fixation vulnerability in oic-auth

oic-auth 2.4 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 2.5 invalidates the existing session on login...

Exposure of system-scoped Kubernetes credentials in kubernetes-credentials-provider

kubernetes-credentials-provider 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and...

CSRF vulnerability in gerrit-trigger

gerrit-trigger 2.38.0 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild previous builds triggered by Gerrit. gerrit-trigger 2.38.1 requires POST requests for the...

Session fixation vulnerability in bitbucket-oauth

bitbucket-oauth 0.12 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. bitbucket-oauth 0.13 invalidates the existing session on login...

Path traversal vulnerability in pwauth

pwauth 0.4 and earlier does not restrict the names of files in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. As of publication of this advisory, there is...

CSRF vulnerability and missing permission check in BearyChat

BearyChat 3.0.2 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site...

Missing permission checks in macstadium-orka allow enumerating credentials IDs

macstadium-orka 1.31 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

XXE vulnerability in TestComplete

TestComplete 2.8.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the zip archive input file for the 'TestComplete Test' build step to have Jenkins parse a crafted file that uses external entities for extraction of...

Keys stored in plain text by jira-steps

jira-steps 2.0.165.v8846cf59f3db and earlier stores the private key unencrypted in its global configuration file org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller...

CSRF vulnerability and missing permission checks in jira-steps

jira-steps 2.0.165.v8846cf59f3db and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

XXE vulnerability on agents in mstest

mstest 1.0.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish MSTest test result report' post-build step to have agent processes parse a crafted file that uses external...

CSRF vulnerability in Keycloak Authentication

Keycloak Authentication 2.3.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this...

Agent-to-controller security bypass in semantic-versioning-plugin

semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and its XML parser is not configured to prevent XML external entity XXE attacks. semantic-versioning-plugin 1.14 and earlier does not restrict execution of the controller/agent message to agents, and...

CSRF vulnerability in bitbucket-oauth

bitbucket-oauth 0.12 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. bitbucket-oauth 0.13 implements a...

Password stored in plain text by testquality-updater

testquality-updater 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file com.testquality.jenkins.TestQualityNotifier.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controll...

XXE vulnerability on agents in semantic-versioning-plugin

semantic-versioning-plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the version file for the 'Determine Semantic Version' build step to have agent processes parse a crafted file that uses...

XXE vulnerability in plot

plot 2.1.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the...

CSRF vulnerability in sonar-gerrit

sonar-gerrit 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to have Jenkins connect to Gerrit servers previously configured by Jenkins administrators using attacker-specified...

Stored XSS vulnerability in spring-config

spring-config 2.0.0 and earlier does not escape build display names shown on the Spring Config view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change build display names. spring-config 2.0.1 escapes build display names shown on the Spring...

Stored XSS vulnerability in custom-build-properties

custom-build-properties 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set or change these values...

Improper credentials masking in gitea

gitea support authentication with Gitea personal access tokens. In gitea 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs. gitea 1.4.5 adds suppor...

Stored XSS vulnerability in checkmarx

checkmarx processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI. checkmarx 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site...

Open redirect vulnerability in google-login

google-login 1.4 through 1.6 both inclusive improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication...

XXE vulnerability on agents in cccc

cccc 0.6 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish CCCC Report' post-build step to have agent processes parse a crafted file that uses external entities for...

CSRF vulnerability and missing permission check in delete-log-plugin

delete-log-plugin 1.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to delete build logs. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...

Whole-script approval in script-security vulnerable to SHA-1 collisions

script-security 1189.vbab7c8fd5fde and earlier stores whole-script approvals as the https://en.wikipedia.org/wiki/SHA-1SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. script-security 1190.v65867aa47126 uses...

Remote code execution vulnerability in pipeline-utility-steps

pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.0 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library with t...

Stored XSS vulnerability in junit

junit 1159.v0b396e1e07dd and earlier converts HTTPS URLs in test report output to clickable links. This is done in an unsafe manner, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. junit 1160.vf1f01aaeab7f no longer converts UR...

XXE vulnerability on agents in sourcemonitor

sourcemonitor 0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for...

Missing permission check in loaderio-jenkins-plugin allows enumerating credentials IDs

loaderio-jenkins-plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Lack of authentication mechanism for webhook in xpdev

xpdev provides a webhook endpoint at /xpdev-webhook that can be used to trigger builds configured to use a specified repository. In xpdev 1.0 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to an...

Arbitrary file read vulnerability in Config Rotator

Config Rotator 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows unauthenticated attackers to read arbitrary files with .xml extension on the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we announce...

Stored XSS vulnerability in BART

BART 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we...

XXE vulnerability on agents in violations

violations 0.7.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers to to control XML input files for the 'Report Violations' post-build step to have agent processes parse a crafted file that uses external entities for extraction of...

SSL/TLS certificate validation unconditionally disabled by cavisson-ns-nd-integration

cavisson-ns-nd-integration 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. As of publication of this advisory, there is no fix. Learn why we announce this...

SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration

cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...