An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, cap…
[com.xebialabs.deployit.ci:deployit-plugin] Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows capturing credentials
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…
[io.jenkins.plugins:markdown-formatter] XSS vulnerability in Jenkins Markdown Formatter Plugin
Markdown Formatter Plugin 0.1.0 and earlier uses a Markdown library to parse Markdown that does not escape crafted link target URLs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any…
[org.jenkins-ci.plugins:urltrigger] XXE vulnerability in Jenkins URLTrigger Plugin
URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined…
[org.jenkins-ci.plugins:fstrigger] XXE vulnerability in Jenkins Filesystem Trigger Plugin
Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an XML file being polled for cha…
[org.jenkins-ci.plugins:templating-engine] Remote code execution vulnerability in Jenkins Templating Engine Plugin
Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM…
[org.jenkins-ci.plugins:config-file-provider] Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins…
[org.jenkins-ci.plugins:config-file-provider] Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Config File …
[org.jenkins-ci.plugins:electricflow] Missing permission check in CloudBees CD Plugin allows scheduling builds
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Ite…
[org.jenkins-ci.plugins:config-file-provider] CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an att…