Monthly Archive: September 2020

A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller. Date published : 2020-09-16...

Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Date published :...

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the...

Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Date published : 2020-09-16...

Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Date published...

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin’s...

Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller Date published : 2020-09-16 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1980 http://www.openwall.com/lists/oss-security/2020/09/16/3

A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials. Date published : 2020-09-16 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1979 http://www.openwall.com/lists/oss-security/2020/09/16/3

Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. Date published : 2020-09-16 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1912 http://www.openwall.com/lists/oss-security/2020/09/16/3

Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint. Date published : 2020-09-16...

Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Date published : 2020-09-16 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1935 http://www.openwall.com/lists/oss-security/2020/09/16/3

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers...

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. Date published : 2020-09-16 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961 http://www.openwall.com/lists/oss-security/2020/09/16/3

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system. Date...