Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to ch…
[br.com.ingenieux.jenkins.plugins:awseb-deployment-plugin] Reflected XSS vulnerability in Jenkins AWSEB Deployment Plugin
AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output.
This results in a reflected cross-site scripting (XSS) vulnerability.
AWSEB Deployment Plugin 0.3.20 escapes the values printed as part…
[org.jenkins-ci.plugins:queue-cleanup] Reflected XSS vulnerability in Jenkins Queue cleanup Plugin
A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).
Queue cleanup Plugin 1.4 correctly escapes th…
[org.jenkins-ci.plugins:rapiddeploy-jenkins] Stored XSS vulnerability in Jenkins RapidDeploy Plugin
RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.
RapidDeplo…
[org.jvnet.hudson.plugins:svn-release-mgr] Jenkins Subversion Release Manager Plugin vulnerable to cross-site scripting (XSS)
Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation. This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site s…
[fr.edf.jenkins.plugins:mac] Missing permission checks in Mac Plugin
A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-…
[fr.edf.jenkins.plugins:mac] Missing SSH host key validation in Mac Plugin
Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Mac Plu…
[fr.edf.jenkins.plugins:mac] CSRF vulnerability in Mac Plugin
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2147
https://…
[org.jenkins-ci.plugins:p4] Missing permission checks in Jenkins P4 Plugin
A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds or add labels in the Perforce repository.
P4 Plugin 1.10.11 appropriate user permissions for the affected HTTP endpoints…
[org.jenkins-ci.plugins:timestamper] Stored XSS vulnerability in Jenkins Timestamper Plugin
Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/A…