Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. Audit Trail Plugin 3.3 escapes the affected part of the error message….
[org.jenkins-ci.plugins:cobertura] Arbitrary file write vulnerability in Jenkins Cobertura Plugin
An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system. Cobertura Plugin 1.16 sanitizes the file path…
[com.applatix.jenkins:applatix] Password stored in plain text by Applatix Plugin
Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
References
https://nvd.nist.gov/vul…
[org.jenkins-ci.plugins:harvest] Passwords stored in plain text by Harvest SCM Plugin
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
References
https://nvd.nist.g…
[org.jenkins-ci.plugins:harvest] Passwords stored in plain text by Harvest SCM Plugin
Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended R…
[com.catalogic.ecxjenkins:catalogic-ecx] Password stored in plain text by ECX Copy Data Management Plugin
Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
References
https://…
[com.parasoft:environment-manager] Password stored in plain text by Parasoft Environment Manager Plugin
Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
References
htt…
[com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter] Password stored in plain text by Dynamic Extended Choice Parameter Plugin
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Reference…
[org.jenkins-ci.plugins:brakeman] Stored XSS vulnerability in Jenkins brakeman Plugin
brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.
This vulnerability can be exploited by users able to control the Brakeman post-build s…
[org.jenkins-ci.tools:git-parameter] Jenkins Git Parameter Plugin vulnerable to stored cross-site scripting (XSS)
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
References
https://nvd.nist.gov/vuln/detail…