OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained t…
[org.jenkins-ci.plugins:tfs] Missing permission check in Jenkins Team Foundation Server Plugin allows enumerating credentials IDs
Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an…
[org.jenkins-ci.plugins:tfs] CSRF vulnerability in Jenkins Team Foundation Server Plugin allow capturing credentials
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing …
[org.jenkins-ci.plugins:dependency-track] CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials
OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained t…
[io.jenkins.plugins:rest-list-parameter] Stored XSS vulnerability in Jenkins REST List Parameter Plugin
REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
REST List Paramete…
[org.jenkins-ci.plugins:cloud-stats] Missing permission check in Jenkins Cloud Statistics Plugin
Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.
Cloud Stati…
[org.jenkins-ci.plugins:build-with-parameters] CSRF vulnerability in Jenkins Build With Parameters Plugin
Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to build a project with attacker-specified…
[org.jenkins-ci.plugins:build-with-parameters] Stored XSS vulnerability in Jenkins Build With Parameters Plugin
Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Build With Parameters Plugin 1.5.1 …
[org.jenkins-ci.plugins:extra-columns] Stored XSS vulnerability in Jenkins Extra Columns Plugin
Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view contai…
[org.jenkins-ci.plugins:role-strategy] Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items
Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well.
Role-based Authorization Strategy Plugin 3.1 and earlier…