requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.
requests-plugin Plugin 2.2.8 requires Overa…
[org.jenkins-ci.plugins:cas-plugin] Open redirect vulnerability in Jenkins CAS Plugin
CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site aft…
[com.xebialabs.deployit.ci:deployit-plugin] Missing permission check in XebiaLabs XL Deploy Plugin allows capturing credentials
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, cap…
[com.xebialabs.deployit.ci:deployit-plugin] Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows capturing credentials
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…
[io.jenkins.plugins:markdown-formatter] XSS vulnerability in Jenkins Markdown Formatter Plugin
Markdown Formatter Plugin 0.1.0 and earlier uses a Markdown library to parse Markdown that does not escape crafted link target URLs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any…
[org.jenkins-ci.plugins:urltrigger] XXE vulnerability in Jenkins URLTrigger Plugin
URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined…
[org.jenkins-ci.plugins:fstrigger] XXE vulnerability in Jenkins Filesystem Trigger Plugin
Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an XML file being polled for cha…
[org.jenkins-ci.plugins:templating-engine] Remote code execution vulnerability in Jenkins Templating Engine Plugin
Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM…
[org.jenkins-ci.plugins:config-file-provider] Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins…
[org.jenkins-ci.plugins:config-file-provider] Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Config File …