Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Az…
[com.openshift.jenkins:openshift-pipeline] RCE vulnerability in Jenkins OpenShift Pipeline Plugin
OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenSh…
[de.taimos:pipeline-aws] RCE vulnerability in Jenkins Pipeline: AWS Steps Plugin
Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipelin…
[org.jenkins-ci.plugins:literate] Remote Code Execution vulnerability in Jenkins Literate Plugin
Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2158
https://jenkins.i…
[io.jenkins.plugins:cryptomove] OS command injection in CryptoMove Plugin
CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Co…
[org.jenkins-ci.plugins:cobertura] XXE vulnerability in Jenkins Cobertura Plugin
Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the ‘Publish Cobertura Coverage Report’ post-build step to have Jenkins parse a cra…
[org.jenkins-ci.plugins:rundeck] XXE vulnerability in Rundeck Plugin
Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extr…
[org.jenkins-ci.plugins:script-security] Sandbox bypass vulnerability in Script Security Plugin
Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:\n- Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
Crafted method calls on objects that implement GroovyInterceptable
This allo…
[org.jenkins-ci.plugins:fitnesse] XXE vulnerability in FitNesse Plugin
FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities…
[org.jenkins-ci.plugins:google-kubernetes-engine] RCE vulnerability in Google Kubernetes Engine Plugin
Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google …