CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction…
[org.jenkins-ci.plugins:shelve-project-plugin] CSRF vulnerability in Jenkins Shelve Project Plugin
Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to shelve, unshelve, or delete a project.
Shelve Project Plug…
[org.jvnet.hudson.plugins:findbugs] Stored XSS vulnerability in Jenkins FindBugs Plugin
Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin’s post build s…
[org.jvnet.hudson.plugins:analysis-core] Stored XSS vulnerability in Jenkins Static Analysis Utilities Plugin
Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
References
https://nvd…
[org.jenkins-ci.plugins:subversion] XXE vulnerability in Jenkins Subversion Plugin
Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for e…
[org.jenkins-ci.plugins:nerrvana-plugin] XXE vulnerability in Jenkins Nerrvana Plugin
Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entitie…
[org.jenkins-ci.plugins:release] Stored XSS vulnerability in Jenkins Release Plugin
Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.
References
https://nvd.nist.gov/vu…
[org.jenkins-ci.plugins:role-strategy] Improper authorization due to caching in Jenkins Role-based Authorization Strategy Plugin
Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups. Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configurat…
[org.biouno:uno-choice] Stored XSS vulnerability in Jenkins Active Choices Plugin
Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permis…
[org.biouno:uno-choice] Stored XSS vulnerability in Jenkins Active Choices Plugin
Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5 esca…