1464 matches found
Missing permission checks in cisco-spark-notifier allow enumerating credentials IDs
cisco-spark-notifier 1.1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission check in BearyChat
BearyChat 3.0.2 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site...
Password stored in plain text by testquality-updater
testquality-updater 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file com.testquality.jenkins.TestQualityNotifier.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controll...
Path traversal vulnerability in visualexpert
visualexpert 1.3 and earlier does not restrict the names of files in methods implementing form validation. This allows attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. As of publication of this advisory,...
XXE vulnerability in plot
plot 2.1.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the...
Open redirect vulnerability in google-login
google-login 1.4 through 1.6 both inclusive improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication...
Stored XSS vulnerability in checkmarx
checkmarx processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI. checkmarx 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site...
Improper credentials masking in gitea
gitea support authentication with Gitea personal access tokens. In gitea 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs. gitea 1.4.5 adds suppor...
Stored XSS vulnerability in custom-build-properties
custom-build-properties 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set or change these values...
Stored XSS vulnerability in spring-config
spring-config 2.0.0 and earlier does not escape build display names shown on the Spring Config view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change build display names. spring-config 2.0.1 escapes build display names shown on the Spring...
CSRF vulnerability in sonar-gerrit
sonar-gerrit 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to have Jenkins connect to Gerrit servers previously configured by Jenkins administrators using attacker-specified...
Whole-script approval in script-security vulnerable to SHA-1 collisions
script-security 1189.vbab7c8fd5fde and earlier stores whole-script approvals as the https://en.wikipedia.org/wiki/SHA-1SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. script-security 1190.v65867aa47126 uses...
CSRF vulnerability and missing permission check in delete-log-plugin
delete-log-plugin 1.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to delete build logs. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...
XXE vulnerability on agents in cccc
cccc 0.6 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish CCCC Report' post-build step to have agent processes parse a crafted file that uses external entities for...
XXE vulnerability on agents in sourcemonitor
sourcemonitor 0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for...
XXE vulnerability on agents in OSF Builder Suite : : XML Linter
OSF Builder Suite : : XML Linter 1.0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML files that get processed by the 'OSF Builder Suite : : XML Linter' build step to have agent processes parse a crafted file tha...
CSRF vulnerability and missing permission check in cluster-stats
cluster-stats 0.4.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to delete recorded Jenkins Cluster Statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSR...
XXE vulnerability in japex
japex 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Record Japex test report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets...
Stored XSS vulnerability in associated-files
associated-files 0.2.1 and earlier does not escape names of associated files. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in junit
junit 1159.v0b396e1e07dd and earlier converts HTTPS URLs in test report output to clickable links. This is done in an unsafe manner, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. junit 1160.vf1f01aaeab7f no longer converts UR...
Password stored in plain text by reverse-proxy-auth-plugin
reverse-proxy-auth-plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by attackers with access to the Jenkins controller file system. reverse-proxy-auth-plugin 1.7....
Passwords stored in plain text by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system...
SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...
XXE vulnerability on agents in violations
violations 0.7.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers to to control XML input files for the 'Report Violations' post-build step to have agent processes parse a crafted file that uses external entities for extraction of...
Remote code execution vulnerability in pipeline-utility-steps
pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.0 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library with t...
Incorrect permission checks in support-core
support-core defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information. support-core 1206.v14049fabd860 and earlier does not correctly perform permission checks in...
Stored XSS vulnerability in BART
BART 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we...
Arbitrary file read vulnerability in Config Rotator
Config Rotator 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows unauthenticated attackers to read arbitrary files with .xml extension on the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we announce...
Lack of authentication mechanism for webhook in xpdev
xpdev provides a webhook endpoint at /xpdev-webhook that can be used to trigger builds configured to use a specified repository. In xpdev 1.0 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to an...
Arbitrary file read vulnerability in pipeline-utility-steps
pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library that...
Stored XSS vulnerability in naginator
naginator 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to edit build display names. naginator 1.18.2 escapes display names of source...
Lack of authentication mechanism for webhook in dockerhub-notification
dockerhub-notification provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt. In dockerhub-notification 2.6.2 and earlier, these endpoints can be accessed without authentication. This allows unauthenticated attackers to trigger...
SSL/TLS certificate validation unconditionally disabled by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. As of publication of this advisory, there is no fix. Learn why we announce this...
Missing permission check in loaderio-jenkins-plugin allows enumerating credentials IDs
loaderio-jenkins-plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF protection for any URL can be bypassed in pipeline-input-step
pipeline-input-step 451.vf1aa4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input step. This ID is used for the URLs that process user interactions for the given input step proceed or abort and is not correctly encoded. This allows attackers able to configur...
Stored XSS vulnerability in workflow-support
workflow-support provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it...
Non-constant time webhook token comparison in generic-webhook-trigger
generic-webhook-trigger 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. generic-webhook-trigger 1.84.2 uses a...
Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin formerly Pipeline: Shared Groovy Libraries Plugin define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be...
CSRF protection for any URL can be bypassed in pipeline-stage-view
pipeline-stage-view provides a visualization of Pipeline builds. It also allows users to interact with input steps from Pipeline: Input Step Plugin. pipeline-stage-view 2.26 and earlier does not correctly encode the ID of input steps when using it to generate URLs to proceed or abort Pipeline...
Webhook endpoint discloses job names to unauthorized users in mercurial
mercurial provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET reques...
Non-constant time webhook token comparison in gitlab-plugin
gitlab-plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-plugin 1.5.36 uses a constant-time comparison...
Missing permission check in job-import-plugin allows enumerating credentials IDs
job-import-plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerabilit...
Agent-to-controller security bypass vulnerability in nunit
nunit 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results. This allows attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. nunit 0.28...
Content-Security-Policy protection for user content disabled by ScreenRecorder
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. ScreenRecorder 0.7 and earlier programmatically updates the Java system propert...
Content-Security-Policy protection for user content disabled by NeuVector Vulnerability Scanner
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. NeuVector Vulnerability Scanner 1.20 and earlier globally disables the...
Content-Security-Policy protection for user content can be disabled in 360 FireLine
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. 360 FireLine 1.7.2 and earlier globally disables the Content-Security-Policy...
Sandbox bypass vulnerabilities in Script Security Plugin and in Pipeline: Groovy Plugin
Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be...
XXE vulnerability in repo
repo 1.15.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control which repo binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
Missing permission checks in Katalon allow capturing credentials
Katalon 1.0.32 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
CSRF vulnerability in Katalon allows capturing credentials
Katalon 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...