requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to create requests and/or have administrators a…
[org.jenkins-ci.plugins:cas-plugin] Open redirect vulnerability in Jenkins CAS Plugin
CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site aft…
[org.jenkins-ci.plugins:requests] Missing permission check in Jenkins requests-plugin Plugin allows sending emails
requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.
requests-plugin Plugin 2.2.8 requires Overa…
[org.jenkins-ci.plugins:electricflow] Missing permission check in CloudBees CD Plugin allows scheduling builds
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Ite…
[org.jenkins-ci.plugins:config-file-provider] Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Config File …
[org.jenkins-ci.plugins:config-file-provider] Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins…
[org.jenkins-ci.plugins:config-file-provider] CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an att…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] Missing permission checks in Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specifie…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] CSRF vulnerability in Jenkins Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specifie…
[org.jenkins-ci.plugins:hp-application-automation-tools-plugin] SSL/TLS certificate validation unconditionally disabled by Jenkins Micro Focus Application Automation Tools Plugin
Micro Focus Application Automation Tools Plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers.
Micro Focus Application Automation Tools Plugin 6.8 no longer disables SSL/TLS ce…