Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a multi-configuration (Matrix) job…
[br.com.ingenieux.jenkins.plugins:awseb-deployment-plugin] Reflected XSS vulnerability in Jenkins AWSEB Deployment Plugin
AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output.
This results in a reflected cross-site scripting (XSS) vulnerability.
AWSEB Deployment Plugin 0.3.20 escapes the values printed as part…
[org.jenkins-ci.plugins:gatling] XSS vulnerability in Jenkins Gatling Plugin
Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to ch…
[it.infuse.jenkins:usemango-runner] XSS vulnerability in Jenkins useMango Runner Plugin
Multiple form validation endpoints in useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service.
This results in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned fr…
[io.jenkins.plugins:code-coverage-api] XXE vulnerability in Jenkins Code Coverage API Plugin
Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the “Publish Coverage Report” post-build step to have Jenkins parse a craf…
[org.jenkins-ci.plugins:azure-acs] RCE vulnerability in Jenkins Azure Container Service Plugin
Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Az…
[org.jenkins-ci.plugins:queue-cleanup] Reflected XSS vulnerability in Jenkins Queue cleanup Plugin
A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).
Queue cleanup Plugin 1.4 correctly escapes th…
[org.jenkins-ci.plugins:rapiddeploy-jenkins] XXE vulnerability in Jenkins RapidDeploy Plugin
RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the ‘RapidDeploy deployment package build’ build or post-build step to have Jenkin…
[de.taimos:pipeline-aws] RCE vulnerability in Jenkins Pipeline: AWS Steps Plugin
Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipelin…
[com.openshift.jenkins:openshift-pipeline] RCE vulnerability in Jenkins OpenShift Pipeline Plugin
OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenSh…