Advisories for Maven/Org.jenkins-Ci.main/Jenkins-Core package

2024

Jenkins item creation restriction bypass vulnerability

Jenkins provides APIs for fine-grained control of item creation: Authorization strategies can prohibit the creation of items of a given type in a given item group (ACL#hasCreatePermission2). Item types can prohibit creation of new instances in a given item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)). If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins …

Jenkins exposes multi-line secrets through error messages

Jenkins Jenkins provides the secretTextarea form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line secrets through those error messages, e.g., in the system log. Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the …

Jenkins Remoting library arbitrary file read vulnerability

Jenkins uses the Remoting library (typically agent.jar or remoting.jar) for the communication between controller and agents. This library allows agents to load classes and classloader resources from the controller, so that Java objects sent from the controller (build steps, etc.) can be executed on agents. In addition to individual class and resource files, Remoting also allows Jenkins plugins to transmit entire jar files to agents using the Channel#preloadJar API. As …

Jenkins does not perform a permission check in an HTTP endpoint

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "My Views". Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 restricts access to a user’s "My Views" to the owning user and administrators.

Improper Neutralization

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

2023

Integer Overflow or Wraparound

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to exceed their size limit. MetaDataBuilder.java determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication …

Jenkins does not exclude sensitive build variables from search

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Incorrect Default Permissions

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

Cross-Site Request Forgery (CSRF)

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Incorrect Authorization

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.

Incorrect Authorization

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

2022

Uncontrolled Resource Consumption

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

Observable Discrepancy

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.

2021

Protection Mechanism Failure

Jenkins does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.

Cross-site Scripting

Jenkins does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

2020

Cross-site Scripting

Jenkins does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

2019

Cross-site Scripting

Jenkins does not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.

Path Traversal

A path traversal vulnerability in Jenkins in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

Path Traversal

A path traversal vulnerability exists in the Stapler web framework used by Jenkins that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.

Insufficient Session Expiration

An improper authorization vulnerability exists in Jenkins in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing to persist access to temporarily compromised user accounts.

Path Traversal

A path traversal vulnerability exists in Jenkins, in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

Information Exposure

An information exposure vulnerability exists in Jenkins, LTS, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.

2018

Path Traversal

A data modification vulnerability exists in Jenkins in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.

Information Exposure

An information exposure vulnerability exists in Jenkins in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.

Cross-site Scripting

A cross-site scripting vulnerability exists in Jenkins, in BuildTimelineWidget.java, that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Cross-site Scripting

A cross-site scripting vulnerability exists in Jenkins that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTPerror pages while Stapler debug mode is enabled.

Path Traversal

A path traversal vulnerability exists in Jenkins in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Injection Vulnerability

An improper neutralization of control sequences vulnerability exists in Jenkins in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Information Exposure

Jenkins is vulnerable to an information disclosure vulnerability in search suggestions. The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.

Cross-site Scripting

Jenkins is vulnerable to a persisted cross-site scripting vulnerability in console notes. Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

Information Exposure

Jenkins is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible. This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

Cross-site Scripting

A cross-site scripting vulnerability exists in Jenkins in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Path Traversal

Jenkins and Jenkins LTS does not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allows users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master …

Improper Authentication

The login command available in the remoting-based CLI stores the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values, were able to impersonate any other Jenkins user on the same instance.

OS Command Injection

Users with permission to create or configure agents in Jenkins could configure a launch method called "Launch agent via execution of command on master". This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Improper Input Validation

The Jenkins default form control for passwords and other secrets, <f:password/>, supports form validation. The form validation AJAX requests were sent via GET, which could result in secrets being logged to an HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files.

Improper Input Validation

Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Cross-site Scripting

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Cross-Site Request Forgery (CSRF)

A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

2017
2016