Fortify on Demand Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions in Fortify on Demand Plugin 6.0.0 and earlier, allowing any u…

Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation.
This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission.
Sonarg…

A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
This form validation method req…

Jenkins Project Inheritance Plugin 21.04.03 and earlier does not redact encrypted secrets in the ‘getConfigAsXML’ API URL when transmitting job config.xml data to users without Job/Configure.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2198
h…

Jenkins limits access to job configuration XML data (config.xml) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL /job/…​/get…

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation.
This results in a reflected cross-site scripting (XSS) vulnerability that can also be exploited similar to a sto…

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remo…

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remo…