An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugi…
[asciidoctor] Asciidoctor Infinite Loop vulnerability
Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial of service (infinite loop). The loop was caused by the fact that Parser.next_block was not exhausting all the lines in the reader as the while loop expected it would. This was…
[org.jenkins-ci.plugins:zos-connector] Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator’s web browser (e.g. malicious exte…
[org.jenkins-ci.plugins:vsphere-cloud] Jenkins vSphere Plugin incorrect authorization vulnerability
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSp…
[org.jenkins-ci.plugins:subversion] Jenkins Subversion Plugin Incorrect Authorization vulnerability
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users. As of v…
[org.jenkins-ci.plugins:coverity] Jenkins Coverity Plugin has Insufficiently Protected Credentials
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator’s web browser (e.g. malicious extension…
[org.jenkins-ci.plugins:google-play-android-publisher] Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials …
[org.jenkins-ci.plugins:build-publisher] Jenkins Build-Publisher plugin has Insufficiently Protected Credentials
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowin…
[org.jenkins-ci.plugins:parameterized-trigger] Parameterized Trigger Plugin fails to check Item/Build permission
Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. The plugin has been adapted to now check f…
[hammer_cli_foreman] hammer_cli_foreman Improper Certificate Validation vulnerability
Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle …