Monthly Archive: September 2020

Spiceworks Version

Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%282%29...

Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access...

Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins...

Jenkins JSGames Plugin 0.2 and earlier evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1905 http://www.openwall.com/lists/oss-security/2020/09/01/3

Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1831 http://www.openwall.com/lists/oss-security/2020/09/01/3

Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents. Date published...

Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1829 http://www.openwall.com/lists/oss-security/2020/09/01/3

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for...

Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1936 http://www.openwall.com/lists/oss-security/2020/09/01/3

A missing permission check in Jenkins database Plugin 1.6 and earlier allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1024 http://www.openwall.com/lists/oss-security/2020/09/01/3

A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1024 http://www.openwall.com/lists/oss-security/2020/09/01/3

A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts. Date published : 2020-09-01 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1023 http://www.openwall.com/lists/oss-security/2020/09/01/3

Jenkins Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller...