Passwords stored in plain text by cavisson-ns-nd-integration

cavisson-ns-nd-integration 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system...

Lack of authentication mechanism for webhook in dockerhub-notification

dockerhub-notification provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt. In dockerhub-notification 2.6.2 and earlier, these endpoints can be accessed without authentication. This allows unauthenticated attackers to trigger...

Password stored in plain text by reverse-proxy-auth-plugin

reverse-proxy-auth-plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by attackers with access to the Jenkins controller file system. reverse-proxy-auth-plugin 1.7....

Incorrect permission checks in support-core

support-core defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information. support-core 1206.v14049fabd860 and earlier does not correctly perform permission checks in...

Stored XSS vulnerability in naginator

naginator 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to edit build display names. naginator 1.18.2 escapes display names of source...

Arbitrary file read vulnerability in pipeline-utility-steps

pipeline-utility-steps implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. pipeline-utility-steps 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library that...

Stored XSS vulnerability in associated-files

associated-files 0.2.1 and earlier does not escape names of associated files. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...

CSRF vulnerability and missing permission check in cluster-stats

cluster-stats 0.4.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to delete recorded Jenkins Cluster Statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSR...

XXE vulnerability in japex

japex 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Record Japex test report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets...

XXE vulnerability on agents in OSF Builder Suite : : XML Linter

OSF Builder Suite : : XML Linter 1.0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML files that get processed by the 'OSF Builder Suite : : XML Linter' build step to have agent processes parse a crafted file tha...

Stored XSS vulnerability in contrast-continuous-application-security

contrast-continuous-application-security 3.9 and earlier does not escape data returned from the Contrast service when generating a report. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control or modify Contrast service API responses...

Sandbox bypass vulnerabilities in Script Security Plugin and in Pipeline: Groovy Plugin

Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be...

Webhook endpoint discloses job names to unauthorized users in mercurial

mercurial provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET reques...

Stored XSS vulnerability in workflow-support

workflow-support provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it...

CSRF protection for any URL can be bypassed in pipeline-stage-view

pipeline-stage-view provides a visualization of Pipeline builds. It also allows users to interact with input steps from Pipeline: Input Step Plugin. pipeline-stage-view 2.26 and earlier does not correctly encode the ID of input steps when using it to generate URLs to proceed or abort Pipeline...

Content-Security-Policy protection for user content disabled by ScreenRecorder

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. ScreenRecorder 0.7 and earlier programmatically updates the Java system propert...

Content-Security-Policy protection for user content disabled by XFramium Builder

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. XFramium Builder 1.0.22 and earlier globally disables the Content-Security-Poli...

API keys stored in plain text by Katalon

Katalon 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Katalon 1.0.33 no longer stores the API...

CSRF protection for any URL can be bypassed in pipeline-input-step

pipeline-input-step 451.vf1aa4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input step. This ID is used for the URLs that process user interactions for the given input step proceed or abort and is not correctly encoded. This allows attackers able to configur...

Missing permission check in compuware-strobe-measurement allows enumerating credentials IDs

compuware-strobe-measurement 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

XXE vulnerability in compuware-topaz-for-total-test

compuware-topaz-for-total-test 2.4.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML documen...

Missing permission checks in compuware-topaz-for-total-test allow enumerating credentials IDs

compuware-topaz-for-total-test 2.4.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...

AWS secrets displayed without masking by s3explorer

s3explorer stores AWSSECRETACCESSKEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration. While this secret is stored encrypted on disk, in s3explorer 1.0.8 and earlier the global configuration form does not mask the AWSSECRETACCESSKEY form field...

Missing permission check in job-import-plugin allows enumerating credentials IDs

job-import-plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerabilit...

Non-constant time webhook token comparison in generic-webhook-trigger

generic-webhook-trigger 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. generic-webhook-trigger 1.84.2 uses a...

Non-constant time webhook token comparison in gitlab-plugin

gitlab-plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-plugin 1.5.36 uses a constant-time comparison...

Missing permission checks in Katalon allow capturing credentials

Katalon 1.0.32 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

Agent-to-controller security bypass vulnerability in Katalon

Katalon 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments. It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version,...

XXE vulnerability in repo

repo 1.15.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control which repo binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...

Agent-to-controller security bypass vulnerability in nunit

nunit 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results. This allows attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. nunit 0.28...

Content-Security-Policy protection for user content can be disabled in 360 FireLine

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. 360 FireLine 1.7.2 and earlier globally disables the Content-Security-Policy...

Content-Security-Policy protection for user content disabled by NeuVector Vulnerability Scanner

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. NeuVector Vulnerability Scanner 1.20 and earlier globally disables the...

Agent-to-controller security bypass vulnerabilities in compuware-topaz-for-total-test

compuware-topaz-for-total-test 2.4.8 and earlier implements two agent/controller messages that do not limit where they can be executed. RemoteSystemProperties allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process...

Stored XSS vulnerability in custom-checkbox-parameter

custom-checkbox-parameter 1.4 and earlier does not escape the name and description of the parameter types it provides. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Exploitation of this vulnerability requires that paramete...

Agent-to-controller security bypass vulnerability in compuware-xpediter-code-coverage

compuware-xpediter-code-coverage 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability ...

Agent-to-controller security bypass vulnerability in compuware-scm-downloader

compuware-scm-downloader 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...

Lack of webhook authentication mechanism in tuleap-git-branch-source

tuleap-git-branch-source provides a webhook endpoint at /tuleap-hook/ that can be used to trigger Tuleap projects configured with a specified repository. In tuleap-git-branch-source 3.2.4 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to...

Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin

Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin formerly Pipeline: Shared Groovy Libraries Plugin define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be...

CSRF vulnerability in Katalon allows capturing credentials

Katalon 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

Agent-to-controller security bypass vulnerability in compuware-topaz-utilities

compuware-topaz-utilities 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...

CSRF vulnerability and missing permission check in ws-execution-manager allow capturing credentials

ws-execution-manager 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

Missing hostname validation in view26

view26 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce this...

API key stored in plain text by bigpanda-jenkins

bigpanda-jenkins 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. Additionally, the...

Missing permission check in extreme-feedback

extreme-feedback 1.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. As of publication of this...

CSRF vulnerability and missing permission check in scm-httpclient allow capturing credentials

scm-httpclient 1.5 and earlier does not perform permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...

Lack of authentication mechanism in DotCi webhook

DotCi provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository. In DotCi 2.40.00 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the...

XXE vulnerability in rqm-plugin

rqm-plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets fro...

Stored XSS vulnerability in DotCi

DotCi 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/...

Stored XSS vulnerability in Walti

Walti 1.0.1 and earlier does not escape the information provided by the Walti API. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide malicious API responses from Walti. As of publication of this advisory, there is no fix. Learn why we announc...

CSRF vulnerability in security-inspector

security-inspector 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users a...