Jenkins Security Advisories

CloudBees Security Updates
The latest updates right to your inbox

This advisory announces vulnerabilities in Jenkins.

CSRF vulnerability and missing permission check allowed changing default graph configuration in Static

This advisory announces vulnerabilities in Jenkins.

CSRF vulnerability and missing permission checks in GitLab Plugin allowed capturing credentials 

This advisory announces vulnerabilities in Jenkins

Jenkins accepted cached legacy CLI authentication 

SECURITY-1289 / CVE-2019-1003049

This advisory announces vulnerabilities in Jenkins.

IRC Plugin stores credentials in plain text

SECURITY-829

IRC Plugin

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Sandbox Bypass in Script Security and Pipeline Plugins 

SECURITY-1266

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Code execution through crafted URLs 

SECURITY-595

Jenkins uses the Stapler

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Sandbox Bypass in Script Security and Pipeline Groovy Plugins 

SECURITY-1186

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Path traversal vulnerability in Stapler allowed accessing internal data 

SECURITY-867 / CVE

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

CSRF vulnerability in JUnit Plugin SECURITY-1101

A URL used to allow setting the

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Jenkins allowed deserialization of URL objects with host components - SECURITY-637

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next 

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials 

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Server-side request forgery vulnerability in Git Plugin - SECURITY-810 / CVE pending

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

CLI and UI allow non-admin users to enumerate installed plugins - SECURITY-771

Users with

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Session fixation vulnerability in Google Login Plugin - SECURITY-442

Google Login Plugin did

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read 

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

SECURITY-261 and SECURITY-697 - GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

SECURITY-248 - Environment Injector Plugin before 1.91 stored sensitive build variables

EnvInject

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery

SECURITY-506

This advisory announces vulnerabilities in these Jenkins plugins:

XXE vulnerabilities in multiple static analysis plugins

SECURITY-659 / CVE pending (CCM)

This advisory announces vulnerabilities in these Jenkins plugins:

XXE vulnerabilities in multiple static analysis plugins

SECURITY-655 (PMD)
SECURITY-656 (Checkstyle)

The information on this page is current as of February 1, 2018.

CloudBees Security Advisory 2018-01-04 is published in regards to CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 - also known as Spectre/Meltdown. This is an atypical security advisory based on an...

What are Spectre and Meltdown?

Meltdown is a security flaw that could allow malicious programs to

This advisory announces two vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Random failures to initialize the setup wizard on startup

SECURITY-667

A race condition

This advisory announces a vulnerability in the Script Security Jenkins plugin

Arbitrary file read vulnerability in Script Security Plugin

SECURITY-663

Users with the

This advisory announces a vulnerability in the EC2 plugin.

Arbitrary shell command execution on master by users with Agent-related permissions in EC2 Plugin

SECURITY-

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Stored XSS vulnerability in tool names exploitable by administrators

SECURITY-624 / CVE pending

This advisory announces vulnerabilities in these Jenkins plugins:

 

Reflected Cross-Site Scripting vulnerability in Delivery Pipeline plugin

SECURITY-640 / CVE pending

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Unsafe use of user names as directory names

SECURITY-499 / CVE pending

Jenkins stores

This advisory announces vulnerabilities in these Jenkins plugins:

Persisted Cross-Site Scripting vulnerability in Active Choices plugin

SECURITY-470 / CVE pending

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform, CloudBees Jenkins Solutions, and these plugins:

Arbitrary shell command execution on master by users with Agent-related permissions

SECURITY-478 / CVE 

This advisory announces a vulnerability in the SAML Plugin.

SAML Plugin stored keystore and private key passwords in plain text

JENKINS-46007

The SAML

This advisory announces vulnerabilities in these Jenkins plugins:

Persistent XSS vulnerability in Static Analysis Utilities and DRY Plugins

SECURITY-467 / CVE-2017-1000102 (

This advisory announces vulnerabilities in these Jenkins plugins:

Parameterized Trigger Plugin fails to check Item/Build permission

SECURITY-201 / CVE-2017-1000084

This advisory announces a vulnerability in the Favorite Plugin.

Missing permission check in Favorite Plugin allows anyone to change favorites for any other user

JENKINS-44643

This advisory announces a vulnerability in the Git Client Plugin.
 

Git Client Plugin stored sensitive information in world-readable temporary files

SECURITY-445

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform, and CloudBees Jenkins Solutions.

CSRF: Multiple vulnerabilities

SECURITY-412 through SECURITY-420 / CVE-2017-1000356

Multiple

This advisory announces vulnerabilities and security-related changes in these Jenkins plugins that are part of the CloudBees Jenkins Solution:

  • CloudBees Role-Based Access Control
  • Email Extension (Email-ext)
  • Matrix Authorization Strategy

The Jenkins...

Arbitrary code execution vulnerabilities

All of these allow users with relatively low privileges (like Overall/Read

This advisory announces vulnerabilities in these Jenkins plugins:

  •     Active Directory
  •     DistFork
  •     Email Extension (Email-ext)
  •     Mailer
  •     Pipeline: Classpath Step
  •     SSH Slaves

SSH Slaves Plugin did not verify host keys

SECURITY-161 / CVE-2017-2648

The SSH Slaves Plugin

This advisory announces a vulnerability in the Maven Pipeline Plugin 0.6.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

Due

This advisory announces a vulnerability in the Maven Pipeline Plugin.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

The

This advisory announces multiple vulnerabilities in Jenkins and CloudBees Jenkins Platform.

These vulnerabilities affect the following components:

  • CloudBees Jenkins Operations Center
  • CloudBees Jenkins Enterprise
  • DEV@cloud
  • ...

CSRF vulnerability in RBAC Plugin permission management

  • CJP-5866 / CVE-2016-9887

This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.

Remote code execution vulnerability in remoting module

This advisory announces a vulnerability in the Cucumber Reports Plugin.

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

SECURITY-309

This advisory announces a vulnerability in the CloudBees Template Plugin.

 

Failure to enforce template read permission

CJP-4615

The CloudBees Template Plugin did not

This advisory announces vulnerabilities in these Jenkins plugins:

  • Async Http Client Plugin
  • Build Failure Analyzer Plugin
  • Image Gallery Plugin
  • TAP Plugin

Path traversal vulnerability in TAP Plugin

SECURITY-85 / CVE-2016-4986

The plugin did not

Revised 2016-05-12: Added CJP-4586​

This advisory announces multiple vulnerabilities in Jenkins, and a vulnerability in CloudBees Operations Center Context Plugin.

 

Arbitrary build parameters are passed to build scripts as environment variables

SECURITY-170 / CVE-2016-3721

This advisory announces multiple vulnerabilities in these Jenkins plugins:

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-136 / CVE-2016-3101

This advisory announces multiple vulnerabilities in Jenkins.

Remote code execution vulnerability in remoting module

This advisory announces multiple vulnerabilities in Jenkins.

Stored XSS vulnerability through workspace files and archived artifacts

SECURITY-95

This advisory announces multiple vulnerabilities in Jenkins.

Project name disclosure via fingerprints

SECURITY-153 / CVE-2015-5317

The Jenkins UI allowed

This security advisory involves the Jenkins CLI.

SECURITY 218

CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who

This advisory announces a security advisory in Jenkins core.

SECURITY-171, SECURITY-177 (Reflective XSS vulnerability)

An attacker without any access to Jenkins can navigate the

This advisory announces:

SECURITY-125 (Combination filter Groovy script unsecured)

This vulnerability allows users with the job configuration

This advisory announces a security vulnerability/hardening (CVE-2014-3665) in Jenkins core.

Historically, Jenkins master and slaves behaved as if they altogether form a single distributed process. This means a slave

This advisory announces:

  • multiple security vulnerabilities that were found in Jenkins core.
  • two security vulnerabilities found in the monitoring plugin

Affected Versions:

  • All the
  • ...
SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake)

This vulnerability allows unauthenticated

This advisory announces multiple security vulnerabilities that were found in Jenkins Enterprise by CloudBees plugins.

RM-2332 / CVE-2014-2661

The CloudBees Backup plugin allowed any Jenkins user able to create a job (and make an SFTP or

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

SECURITY-105

In some places, Jenkins XML API uses XStream to deserialize arbitrary content, which is

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

SECURITY-63 / CVE-2013-2034

This creates a 

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

One of the vulnerabilities allows 

This advisory announces a security vulnerability that was found in the Jenkins core.

This vulnerability allows an attacker with an HTTP access to the server to retrieve the master cryptographic key of Jenkins.

This advisory announces two security vulnerabilities that were found in Jenkins core.

The first vulnerability is commonly known as HTTP response

This advisory announces security vulnerabilities that were found in Jenkins core and several plugins.

The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote

This advisory announces a couple of critical security vulnerabilities that were found in Jenkins core.

The first vulnerability is a directory traversal vulnerability. This allows an anonymous attacker to read files in the file

This vulnerability allows attackers to gain access as administrative users, when Active Directory is configured to support

Vulnerability in Jenkins Core

Vulnerability in Jenkins OpenID plugin

This vulnerability allowed malicious users to assume the identity of arbitrary users without going through the proper OpenID

This vulnerability allowed malicious users to assume the identity of arbitrary users. This affects the Active directory plugin