Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller.
Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not adm…
[org.jenkins-ci.main:jenkins-core] Inbound TCP Agent Protocol/3 authentication bypass in Jenkins
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between controller and agents. While this protocol has been deprecated in 2018 and was recently removed from Jenkins in 2.214, it…
[org.jenkins-ci.main:jenkins-core] Jenkins Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID…
[org.jenkins-ci.main:jenkins-core] Non-constant time comparison of inbound TCP agent connection secret
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain t…
[org.jenkins-ci.main:jenkins-core] Non-constant time HMAC comparison
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled in…
[org.jenkins-ci.main:jenkins-core] Jenkins vulnerable to UDP amplification reflection attack
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network discovery services (UDP multicast/broadcast and DNS multicast) by default.
The UDP multicast/broadcast service can be used in an amplification reflection attack, as very few bytes …
[papercrop] papercrop does not properly handle crop input
The papercrop gem before 0.3.0 for Ruby on Rails does not properly handle crop input.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-2784
https://github.com/rsantamaria/papercrop/commit/b4ecd95debaf0a8712bd1d34def83f41fc6b3579
https://github.com…
[org.jenkins-ci.plugins:sounds] Missing permission checks in Jenkins Sounds Plugin allow OS command execution
Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.
References
https://nvd.ni…
[org.jenkins-ci.plugins:robot] XXE vulnerability in Jenkins Robot Framework Plugin
Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the ‘Publish Robot Framework’ post-build step to have Jenkins parse a crafte…
[org.jenkins-ci.plugins:cloudbees-jenkins-advisor] Missing permission checks in Health Advisor by CloudBees Plugin
Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.
Additionally…