A data modification vulnerability exists in Jenkins in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
A denial of service vulnerability exists in Jenkins in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
An information exposure vulnerability exists in Jenkins in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.
A code execution vulnerability exists in the Stapler web framework used by Jenkins that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
A denial of service vulnerability exists in Jenkins in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.
A denial of service vulnerability exists in Jenkins in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
A vulnerability in Jenkins in Computer.java allows attackers With Overall/Read permission to access the connection log for any agent.
An improper authorization vulnerability exists in Jenkins in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.
A vulnerability exists in Jenkins in SecurityRealm.java, TokenBasedRememberMeServices.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.
A vulnerability exists in Jenkins that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.
Sensitive information is leaked through Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.
An Improper authorization vulnerability exists in Jenkins in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.
An Improper authorization vulnerability exists in Jenkins in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.
An unauthorized modification of configuration vulnerability exists in Jenkins, in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory.
An arbitrary file read vulnerability exists in Jenkins, Stapler allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
A cross-site scripting vulnerability exists in Jenkins, in BuildTimelineWidget.java, that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
A cross-site scripting vulnerability exists in Jenkins that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTPerror pages while Stapler debug mode is enabled.
A path traversal vulnerability exists in Jenkins in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
An improper neutralization of control sequences vulnerability exists in Jenkins in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
An information exposure vulnerability exists in Jenkins that allows users with Overall/Read access to enumerate all installed plugins.
A server-side request forgery vulnerability exists in Jenkins that allows users with Overall/Read permission to have Jenkins submit an HTTP GET request to an arbitrary URL and learn whether the response is successful or not.
Jenkins uses AES ECB block cipher mode without an IV for encrypting secrets, which makes Jenkins and the stored secrets vulnerable to unnecessary risks.
Jenkins is vulnerable to an information disclosure vulnerability in search suggestions. The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
Jenkins is vulnerable to a persisted cross-site scripting vulnerability in console notes. Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
Jenkins is vulnerable to an improper exclusion of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents.
Jenkins is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens.
In Jenkins, monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes.
In Jenkins low privilege users were able to override JDK download credentials, resulting in future builds possibly failing to download a JDK.
In Jenkins, low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks.
Jenkins is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs.
Jenkins is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names.
Jenkins is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create user records.
Jenkins is vulnerable to a persisted cross-site scripting in parameter names and descriptions. Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
Jenkins is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible. This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
Jenkins is vulnerable to an insufficient permission check for periodic processes.
Jenkins allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.
A cross-site scripting vulnerability exists in Jenkins in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.
Jenkins is vulnerable to an insufficient permission check. This allows users with permissions to create new items to overwrite existing items they don't have access to.
Jenkins and Jenkins LTS does not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allows users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master …
An improper authorization vulnerability exists in Jenkins that allows an attacker to submit HTTP GET requests and get limited information about the response.
An improper input validation vulnerability in Jenkins allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
The login command available in the remoting-based CLI stores the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values, were able to impersonate any other Jenkins user on the same instance.
Jenkins is vulnerable to a deserialization vulnerability.
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing denylist-based protection mechanism.
Jenkins is vulnerable to an issue in the Jenkins user database authentication realm.
Users with permission to create or configure agents in Jenkins could configure a launch method called "Launch agent via execution of command on master". This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.
The remote API in Jenkins shows information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g., due to lack of Item/Read permission.
Jenkins provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included Jenkins users' email addresses if the Mailer Plugin is installed.
The Jenkins remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access.
The Jenkins remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to.
The Jenkins default form control for passwords and other secrets, <f:password/>, supports form validation. The form validation AJAX requests were sent via GET, which could result in secrets being logged to an HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files.
Jenkins bundles a version of the commons-fileupload library with a denial-of-service vulnerability.
Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.
Jenkins bundled a version of the commons-httpclient library that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.