Amazon EC2 Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions in Amazon EC2 Plugin 1.50.1 and earlier, allowing any user with Over…
[io.jenkins.plugins:scm-filter-jervis] RCE vulnerability in SCM Filter Jervis Plugin
SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure jobs with the filter, or c…
[org.jenkins-ci.plugins:credentials-binding] Secrets are not masked by Jenkins Credentials Binding Plugin in builds without build steps
Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
Credentials Binding Plugin 1.23 now masks secrets when the build contains no build steps.
Referenc…
[org.jenkins-ci.plugins:credentials-binding] Improper masking of some secrets in Jenkins Credentials Binding Plugin
Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then…
[org.jenkins-ci.plugins:ec2] CSRF vulnerability in Amazon EC2 Plugin
Amazon EC2 Plugin 1.50.1 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID.
Amazon…
[org.jenkins-ci.plugins:cvs] CSRF vulnerability in Jenkins CVS Plugin
CVS Plugin 2.15 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
CVS …
[org.jenkins-ci.plugins:copyartifact] Improper permission checks in Jenkins Copy Artifact Plugin
Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks when determining whether a build can copy artifacts from another project build. This allows attackers, usually with Job/Configure permission, to configure jobs to copy artifact…
[org.fedoraproject.jenkins.plugins:copr] Credentials stored in plain text by Jenkins Copr Plugin
Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Copr Plugin 0.6.1 s…
[io.jenkins.plugins:aws-sam] RCE vulnerability in Jenkins AWS SAM Plugin
AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a p…
[com.parasoft:parasoft-findings] XXE vulnerability in Jenkins Parasoft Findings Plugin
Parasoft Findings Plugin implements a static analysis parser for various Parasoft products and integrates with Warnings Plugin (10.4.1 and earlier) and Warnings NG Plugin (10.4.2 and newer).
Parasoft Findings Plugin 10.4.3 and earlier does not configur…