NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
NS-ND Integration Performance Publisher Plugin 4.8.0.146 no lo…
[org.jenkins-ci.plugins:dockerhub-notification] Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin
CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.
In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these en…
[org.jenkins-ci.main:config-rotator] Jenkins Config Rotator Plugin vulnerable to path traversal
Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with ‘.xml’ extension on the Jenkins controller file system. Currently there i…
[io.jenkins.plugins:cavisson-ns-nd-integration] Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These passwords can be viewed by attackers with Item/Extended Read permiss…
[org.jenkins-ci.plugins:junit] Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links.
This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure p…
[org.jenkins-ci.plugins:script-security] Whole-script approval in Jenkins Script Security Plugin vulnerable to SHA-1 collisions
Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest.
Script Security Plugi…
[org.jenkins-ci.main:cavisson-ns-nd-integration] SSL/TLS certificate validation unconditionally disabled by Jenkins NS-ND Integration Performance Publisher Plugin
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. Currently, there are no known workarounds or patches.
References
https://nvd.nist.g…
[org.jenkins-ci.plugins:support-core] Incorrect permission checks in Jenkins Support Core Plugin
Support Core Plugin defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information.
Support Core Plugin 1206.v14049fa_b_d86…
[org.jenkins-ci.plugins:naginator] Cross-site Scripting in Jenkins Naginator Plugin
Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display nam…
[org.jenkins-ci.plugins:pipeline-utility-steps] Arbitrary file read vulnerability in Jenkins Pipeline Utility Steps Plugin
Pipeline Utility Steps Plugin implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library.
Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefi…