A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing …
[org.jenkins-ci.plugins:dependency-track] CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials
OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained t…
[io.jenkins.plugins:rest-list-parameter] Stored XSS vulnerability in Jenkins REST List Parameter Plugin
REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
REST List Paramete…
[org.jenkins-ci.plugins:cloud-stats] Missing permission check in Jenkins Cloud Statistics Plugin
Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.
Cloud Stati…
[org.jenkins-ci.plugins:build-with-parameters] CSRF vulnerability in Jenkins Build With Parameters Plugin
Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to build a project with attacker-specified…
[org.jenkins-ci.plugins:build-with-parameters] Stored XSS vulnerability in Jenkins Build With Parameters Plugin
Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Build With Parameters Plugin 1.5.1 …
[org.jenkins-ci.plugins:extra-columns] Stored XSS vulnerability in Jenkins Extra Columns Plugin
Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view contai…
[org.jenkins-ci.plugins:role-strategy] Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items
Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well.
Role-based Authorization Strategy Plugin 3.1 and earlier…
[io.jenkins.plugins:warnings-ng] Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents
Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attac…
[org.jenkins-ci.plugins:aws-credentials] Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs
CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins if any of …