Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
Credentials Binding Plugin 1.23 now masks secrets when the build contains no build steps.
Referenc…
[org.jenkins-ci.plugins:credentials-binding] Improper masking of some secrets in Jenkins Credentials Binding Plugin
Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then…
[org.jenkins-ci.plugins:ec2] CSRF vulnerability in Amazon EC2 Plugin
Amazon EC2 Plugin 1.50.1 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID.
Amazon…
[org.jenkins-ci.plugins:cvs] CSRF vulnerability in Jenkins CVS Plugin
CVS Plugin 2.15 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
CVS …
[org.jenkins-ci.plugins:copyartifact] Improper permission checks in Jenkins Copy Artifact Plugin
Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks when determining whether a build can copy artifacts from another project build. This allows attackers, usually with Job/Configure permission, to configure jobs to copy artifact…
[org.fedoraproject.jenkins.plugins:copr] Credentials stored in plain text by Jenkins Copr Plugin
Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Copr Plugin 0.6.1 s…
[io.jenkins.plugins:aws-sam] RCE vulnerability in Jenkins AWS SAM Plugin
AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a p…
[com.parasoft:parasoft-findings] XXE vulnerability in Jenkins Parasoft Findings Plugin
Parasoft Findings Plugin implements a static analysis parser for various Parasoft products and integrates with Warnings Plugin (10.4.1 and earlier) and Warnings NG Plugin (10.4.2 and newer).
Parasoft Findings Plugin 10.4.3 and earlier does not configur…
[org.jenkins-ci.plugins:yaml-axis] RCE vulnerability in Jenkins Yaml Axis Plugin
Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a multi-configuration (Matrix) job…
[br.com.ingenieux.jenkins.plugins:awseb-deployment-plugin] Reflected XSS vulnerability in Jenkins AWSEB Deployment Plugin
AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output.
This results in a reflected cross-site scripting (XSS) vulnerability.
AWSEB Deployment Plugin 0.3.20 escapes the values printed as part…