Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to su…
[org.jenkins-ci.main:jenkins-core] Session fixation vulnerability in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
This vulnerability was introduced in Jenkins 2.266…
[com.xebialabs.deployit.ci:deployit-plugin] Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows capturing credentials
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…
[com.xebialabs.deployit.ci:deployit-plugin] Missing permission check in XebiaLabs XL Deploy Plugin allows capturing credentials
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, cap…
[org.jenkins-ci.plugins:urltrigger] XXE vulnerability in Jenkins URLTrigger Plugin
URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined…
[io.jenkins.plugins:markdown-formatter] XSS vulnerability in Jenkins Markdown Formatter Plugin
Markdown Formatter Plugin 0.1.0 and earlier uses a Markdown library to parse Markdown that does not escape crafted link target URLs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any…
[org.jenkins-ci.plugins:fstrigger] XXE vulnerability in Jenkins Filesystem Trigger Plugin
Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an XML file being polled for cha…
[org.jenkins-ci.plugins:templating-engine] Remote code execution vulnerability in Jenkins Templating Engine Plugin
Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] Reflected XSS vulnerability in Jenkins Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not escape user input in a form validation response.
This results in a reflected cross-site scripting (XSS) vulnerability.
Micro Focus Application Automation Tools Plugin 6.8 escapes …
[org.jenkins-ci.plugins:tfs] CSRF vulnerability in Jenkins Team Foundation Server Plugin allow capturing credentials
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing …