Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.
This results in a stored cross-site scr…
[jenkins.ci.plugins.computerqueue:computer-queue-plugin] Stored XSS vulnerability in computer-queue-plugin Plugin
computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
computer-queue-plugin Plugin 1.6 escape…
[org.jenkins-ci.plugins:radiatorviewplugin] Stored XSS vulnerability in Radiator View Plugin
Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
References
https://nvd.nist.gov…
[org.jenkins-ci.plugins:pipeline-maven] Stored XSS vulnerability in Pipeline Maven Integration Plugin via unescaped display name
Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission…
[Microsoft.AspNetCore.Http] Cookie parsing failure
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being …
[org.jenkins-ci.plugins:klocwork] XXE vulnerability in Jenkins Klocwork Analysis Plugin
Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that us…
[com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer] XSS vulnerability in Jenkins Build Failure Analyzer Plugin
Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to tes…
[org.jenkins-ci.plugins:jsgames] Reflected XSS vulnerability in Jenkins JSGames Plugin
Jenkins JSGames Plugin 0.2 and earlier evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2248
https://jenkins.io/security/advisory/2020-09-01/#SECUR…
[org.jenkins-ci.plugins:vmanager-plugin] Stored XSS vulnerability in Jenkins Cadence vManager Plugin
Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
Cadence vManager Plugin 3.0.5 removes …
[org.jenkins-ci.plugins:valgrind] XXE vulnerability in Jenkins Valgrind Plugin
Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external e…