Config File Provider Security Vulnerabilities and Issues — Config File Provider CVE List

Lucene search

JenkinsConfig File Provider

9 matches found

CVE•added 2023/08/16 3:15 p.m.•318 views

CVE-2023-40339

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

7.5CVSS7.3AI score0.00185EPSS

CVE•added 2021/04/21 3:15 p.m.•153 views

CVE-2021-21643

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

6.5CVSS6.4AI score0.00458EPSS

CVE•added 2021/04/21 3:15 p.m.•148 views

CVE-2021-21642

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.1CVSS7.8AI score0.01003EPSS

CVE•added 2021/04/21 3:15 p.m.•145 views

CVE-2021-21645

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.

4.3CVSS4.6AI score0.00118EPSS

CVE•added 2021/04/21 3:15 p.m.•138 views

CVE-2021-21644

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

5.8CVSS5.6AI score0.00071EPSS

CVE•added 2019/02/06 4:29 p.m.•63 views

CVE-2019-1003014

An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the...

4.8CVSS4.9AI score0.00067EPSS

CVE•added 2019/01/09 11:29 p.m.•44 views

CVE-2018-1000413

A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.

5.4CVSS5.1AI score0.00106EPSS

CVE•added 2017/10/05 1:29 a.m.•43 views

CVE-2017-1000104

The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permis...

6.5CVSS6.3AI score0.0003EPSS

CVE•added 2019/01/09 11:29 p.m.•37 views

CVE-2018-1000414

A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.

8.1CVSS8AI score0.00072EPSS