URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined…
[org.jenkins-ci.plugins:fstrigger] XXE vulnerability in Jenkins Filesystem Trigger Plugin
Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an XML file being polled for cha…
[org.jenkins-ci.plugins:templating-engine] Remote code execution vulnerability in Jenkins Templating Engine Plugin
Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM…
[org.jenkins-ci.plugins:config-file-provider] Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins…
[org.jenkins-ci.plugins:config-file-provider] Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Config File …
[org.jenkins-ci.plugins:electricflow] Missing permission check in CloudBees CD Plugin allows scheduling builds
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Ite…
[org.jenkins-ci.plugins:config-file-provider] CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an att…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] Missing permission checks in Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specifie…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] SSL/TLS certificate validation unconditionally disabled by Jenkins Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers.
Micro Focus Application Automation Tools Plugin 6.8 no longer disables SSL/TLS ce…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] Reflected XSS vulnerability in Jenkins Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not escape user input in a form validation response.
This results in a reflected cross-site scripting (XSS) vulnerability.
Micro Focus Application Automation Tools Plugin 6.8 escapes …