Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to tes…
[org.jenkins-ci.plugins:klocwork] XXE vulnerability in Jenkins Klocwork Analysis Plugin
Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that us…
[org.jenkins-ci.plugins:soapui-pro-functional-testing] Passwords stored in plain text by Jenkins ReadyAPI Functional Testing Plugin
ReadyAPI Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files as part of its configuration. These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins cont…
[org.jenkins-ci.plugins:valgrind] Stored XSS vulnerability in Jenkins Valgrind Plugin
Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.
References
https://nvd.nist…
[org.jenkins-ci.tools:git-parameter] Stored XSS vulnerability in Jenkins Git Parameter Plugin
Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the ‘Build with Parameters’ page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Git Paramet…
[org.jenkins-ci.plugins:Parameterized-Remote-Trigger] Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin
Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. Thi…
[org.jenkins-ci.plugins:database] CSRF vulnerability in Jenkins Database Plugin
Database Plugin 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to execute arbitrary SQL scripts.
Database Plugin 1.7 removes t…
[org.jenkins-ci.plugins:database] CSRF vulnerability in Jenkins Database Plugin
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials.
Database Plugin 1.7 requires POST requests for the a…
[org.jenkins-ci.plugins:database] Missing permission checks in Jenkins Database Plugin
A missing permission check in Jenkins database Plugin 1.6 and earlier allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials.
Database Plugin 1.7 requires Overall/Ad…
[org.jenkins-ci.plugins:tfs] Credentials stored in plain text by Jenkins tfs Plugin
tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access…