Jenkins Security Advisories

CloudBees Security Updates
The latest updates right to your inbox

CloudBees Security Advisory 2019-07-17

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins

Jenkins Security Advisory 2019-07-11

This advisory announces vulnerabilities in Jenkins.

CSRF vulnerability and missing permission check in Docker Plugin allowed capturing credentials 

CloudBees Security Advisory 2019-06-11

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins

Jenkins Security Advisory 2019-05-31

This advisory announces vulnerabilities in Jenkins.

Persisted XSS vulnerability in Warnings Next Generation Plugin 

SECURITY-1373 / CVE-2019-

CloudBees Security Advisory 2019-05-21

This advisory announces vulnerabilities in
Jenkins, CloudBees

Jenkins Security Advisory 2019-04-30

This advisory announces vulnerabilities in Jenkins.

CSRF vulnerability and missing permission check allowed changing default graph configuration in Static

Jenkins Security Advisory 2019-04-17

This advisory announces vulnerabilities in Jenkins.

CSRF vulnerability and missing permission checks in GitLab Plugin allowed capturing credentials 

CloudBees Security Advisory 2019-04-10

This advisory announces vulnerabilities in Jenkins

Jenkins accepted cached legacy CLI authentication 

SECURITY-1289 / CVE-2019-1003049

Jenkins Security Advisory 2017-04-03

This advisory announces vulnerabilities in Jenkins.

IRC Plugin stores credentials in plain text

SECURITY-829

IRC Plugin

CloudBees Security Advisory 2019-03-25

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform

CloudBees Security Advisory 2019-03-06

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

CloudBees Security Advisory 2019-02-19

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

CloudBees Security Advisory 2019-01-28

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

CloudBees Security Advisory 2019-01-16

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and

CloudBees Security Advisory 2019-01-08

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Sandbox Bypass in Script Security and Pipeline Plugins 

SECURITY-1266

CloudBees Security Advisory 2018-12-05

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Code execution through crafted URLs 

SECURITY-595

Jenkins uses the Stapler

CloudBees Security Advisory 2018-10-29

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Sandbox Bypass in Script Security and Pipeline Groovy Plugins 

SECURITY-1186

CloudBees Security Advisory 2018-10-10

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Path traversal vulnerability in Stapler allowed accessing internal data 

SECURITY-867 / CVE

CloudBees Security Advisory 2018-09-25

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

CSRF vulnerability in JUnit Plugin SECURITY-1101

A URL used to allow setting the

CloudBees Security Advisory 2018-08-15

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Jenkins allowed deserialization of URL objects with host components - SECURITY-637

CloudBees Security Advisory 2018-07-30

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins

CloudBees Security Advisory 2018-07-18

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next 

CloudBees Security Advisory 2018-06-25

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials 

CloudBees Security Advisory 2018-06-04

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Server-side request forgery vulnerability in Git Plugin - SECURITY-810 / CVE-2018-1000182

CloudBees Security Advisory 2018-05-09

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

CLI and UI allow non-admin users to enumerate installed plugins - SECURITY-771

Users with

CloudBees Security Advisory 2018-04-16

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Session fixation vulnerability in Google Login Plugin - SECURITY-442

Google Login Plugin did

CloudBees Security Advisory 2018-04-11

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read 

CloudBees Security Advisory 2018-03-26

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

SECURITY-261 and SECURITY-697 - GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml

CloudBees Security Advisory 2018-02-26

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

SECURITY-248 - Environment Injector Plugin before 1.91 stored sensitive build variables

EnvInject

CloudBees Security Advisory 2018-02-14

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery

SECURITY-506

CloudBees Security Advisory 2018-02-05

This advisory announces vulnerabilities in these Jenkins plugins:

XXE vulnerabilities in multiple static analysis plugins

SECURITY-659 / CVE-2018-1000054 (CCM)

CloudBees Security Advisory 2018-01-22

This advisory announces vulnerabilities in these Jenkins plugins:

XXE vulnerabilities in multiple static analysis plugins

SECURITY-655 (PMD)
SECURITY-656 (Checkstyle)

CloudBees Security Advisory 2018-01-04

The information on this page is current as of February 1, 2018.

CloudBees Security Advisory 2018-01-04 is published in regards to CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 - also known as Spectre/Meltdown. This...

What are Spectre and Meltdown?

Meltdown is a security flaw that could allow malicious programs to

CloudBees Security Advisory 2017-12-14

This advisory announces two vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Random failures to initialize the setup wizard on startup

SECURITY-667

A race condition

CloudBees Security Advisory 2017-12-11

This advisory announces a vulnerability in the Script Security Jenkins plugin

Arbitrary file read vulnerability in Script Security Plugin

SECURITY-663

Users with the

CloudBees Security Advisory 2017-12-06

This advisory announces a vulnerability in the EC2 plugin.

Arbitrary shell command execution on master by users with Agent-related permissions in EC2 Plugin

SECURITY-

CloudBees Security Advisory 2017-12-05

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Stored XSS vulnerability in tool names exploitable by administrators

SECURITY-624

Jenkins

Jenkins Security Advisory 2017-11-16

This advisory announces vulnerabilities in these Jenkins plugins:

 

Reflected Cross-Site Scripting vulnerability in Delivery Pipeline plugin

SECURITY-640 / CVE-2017-1000404

CloudBees Security Advisory 2017-11-08

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Unsafe use of user names as directory names

SECURITY-499 / CVE-2017-1000391

Jenkins stores

Jenkins Security Advisory 2017-10-23

This advisory announces vulnerabilities in these Jenkins plugins:

Persisted Cross-Site Scripting vulnerability in Active Choices plugin

SECURITY-470 / CVE-2017-1000386

CloudBees Security Advisory 2017-10-11

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform, CloudBees Jenkins Solutions, and these plugins:

Arbitrary shell command execution on master by users with Agent-related permissions

SECURITY-478 / CVE-2017-

Jenkins Security Advisory 2017-08-08

This advisory announces a vulnerability in the SAML Plugin.

SAML Plugin stored keystore and private key passwords in plain text

JENKINS-46007

The SAML

CloudBees Security Advisory 2017-08-07

This advisory announces vulnerabilities in these Jenkins plugins:

Persistent XSS vulnerability in Static Analysis Utilities and DRY Plugins

SECURITY-467 / CVE-2017-1000102 (

CloudBees Security Advisory 2017-07-10

This advisory announces vulnerabilities in these Jenkins plugins:

Parameterized Trigger Plugin fails to check Item/Build permission

SECURITY-201 / CVE-2017-1000084

CloudBees Security Advisory 2017-06-06

This advisory announces a vulnerability in the Favorite Plugin.

Missing permission check in Favorite Plugin allows anyone to change favorites for any other user

JENKINS-44643

CloudBees Security Advisory 2017-04-27

This advisory announces a vulnerability in the Git Client Plugin.
 

Git Client Plugin stored sensitive information in world-readable temporary files

SECURITY-445

CloudBees Security Advisory 2017-04-26

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform, and CloudBees Jenkins Solutions.

CSRF: Multiple vulnerabilities

SECURITY-412 through SECURITY-420 / CVE-2017-1000356

Multiple

CloudBees Security Advisory 2017-04-10

This advisory announces vulnerabilities and security-related changes in these Jenkins plugins that are part of the CloudBees Jenkins Solution:

  • CloudBees Role-Based Access Control
  • Email Extension (Email-ext)
  • Matrix
  • ...

Arbitrary code execution vulnerabilities

All of these allow users with relatively low privileges (like Overall/Read

Jenkins Security Advisory 2017-03-20

This advisory announces vulnerabilities in these Jenkins plugins:

  •     Active Directory
  •     DistFork
  •     Email Extension (Email-ext)
  •     Mailer
  •     Pipeline: Classpath Step
  •     SSH Slaves
  • ...

SSH Slaves Plugin did not verify host keys

SECURITY-161 / CVE-2017-2648

The SSH Slaves Plugin

Jenkins Security Advisory 2017-03-09

This advisory announces a vulnerability in the Maven Pipeline Plugin 0.6.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

Due

Jenkins Security Advisory 2017-03-07

This advisory announces a vulnerability in the Maven Pipeline Plugin.

Maven Pipeline Plugin allows reading arbitrary files from the Jenkins master

SECURITY-441

The

CloudBees Security Advisory 2017-02-01

This advisory announces multiple vulnerabilities in Jenkins and CloudBees Jenkins Platform.

These vulnerabilities affect the following components:

  • CloudBees Jenkins Operations Center
  • ...

CSRF vulnerability in RBAC Plugin permission management

  • CJP-5866 / CVE-2016-9887

Jenkins Security Advisory 2016-11-16

This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.

Remote code execution vulnerability in remoting module

Jenkins Security Advisory 2016-07-27

This advisory announces a vulnerability in the Cucumber Reports Plugin.

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

SECURITY-309

CloudBees Jenkins Platform Security Advisory 2016-07-05

This advisory announces a vulnerability in the CloudBees Template Plugin.

 

Failure to enforce template read permission

CJP-4615

The CloudBees Template Plugin did not

Jenkins Security Advisory 2016-06-20

This advisory announces vulnerabilities in these Jenkins plugins:

  • Async Http Client Plugin
  • Build Failure Analyzer Plugin
  • Image Gallery Plugin
  • TAP Plugin

Path traversal vulnerability in TAP Plugin

SECURITY-85 / CVE-2016-4986

The plugin did not

Jenkins Security Advisory 2016-05-11

Revised 2016-05-12: Added CJP-4586​

This advisory announces multiple vulnerabilities in Jenkins, and a vulnerability in CloudBees Operations Center...

Arbitrary build parameters are passed to build scripts as environment variables

SECURITY-170 / CVE-2016-3721

Jenkins Security Advisory 2016-04-11

This advisory announces multiple vulnerabilities in these Jenkins plugins:

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-136 / CVE-2016-3101

Jenkins Security Advisory 2016-02-24

This advisory announces multiple vulnerabilities in Jenkins.

Remote code execution vulnerability in remoting module

Jenkins Security Advisory 2015-12-09

This advisory announces multiple vulnerabilities in Jenkins.

Stored XSS vulnerability through workspace files and archived artifacts

SECURITY-95

Jenkins Security Advisory 2015-11-11

This advisory announces multiple vulnerabilities in Jenkins.

Project name disclosure via fingerprints

SECURITY-153 / CVE-2015-5317

The Jenkins UI allowed

Jenkins Security Advisory 2015-11-06

This security advisory involves the Jenkins CLI.

SECURITY 218

CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who

Jenkins Security Advisory 2015-03-23

This advisory announces a security advisory in Jenkins core.

SECURITY-171, SECURITY-177 (Reflective XSS vulnerability)

An attacker without any access to Jenkins can navigate the

Jenkins Security Advisory 2015-02-27

This advisory announces:

  • multiple security vulnerabilities that were found in Jenkins core.
  • a security vulnerability found in
  • ...
SECURITY-125 (Combination filter Groovy script unsecured)

This vulnerability allows users with the job configuration

Jenkins Security Advisory 2014-10-30

This advisory announces a security vulnerability/hardening (CVE-2014-3665) in Jenkins core.

Historically, Jenkins master and slaves behaved as if they altogether form a single distributed process. This means a slave

Jenkins Security Advisory 2014-10-01

This advisory announces:

  • multiple security vulnerabilities that were found in Jenkins core.
  • two security vulnerabilities found in the monitoring plugin
  • ...
SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake)

This vulnerability allows unauthenticated

Jenkins Security Advisory 2014-04-01

This advisory announces multiple security vulnerabilities that were found in Jenkins Enterprise by CloudBees plugins.

RM-2332 / CVE-2014-2661

The CloudBees Backup plugin allowed any Jenkins user able to create a job (and make an SFTP or

Jenkins Security Advisory 2014-02-14

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

SECURITY-105

In some places, Jenkins XML API uses XStream to deserialize arbitrary content, which is

Jenkins Security Advisory 2013-05-02

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

SECURITY-63 / CVE-2013-2034

This creates a 

Jenkins Security Advisory 2013-02-16

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

One of the vulnerabilities allows 

Jenkins Security Advisory 2013-01-04

This advisory announces a security vulnerability that was found in the Jenkins core.

This vulnerability allows an attacker with an HTTP access to the server to retrieve the master cryptographic key of Jenkins.

Jenkins Security Advisory 2012-11-20

This advisory announces two security vulnerabilities that were found in Jenkins core.

The first vulnerability is commonly known as HTTP response

Jenkins Security Advisory 2012-09-17

This advisory announces security vulnerabilities that were found in Jenkins core and several plugins.

The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote

Jenkins Security Advisory 2012-03-05

This advisory announces a couple of critical security vulnerabilities that were found in Jenkins core.

The first vulnerability is a directory traversal vulnerability. This allows an anonymous attacker to read files in the file

Jenkins Security Advisory 2012-01-24

Vulnerability in Jenkins Active Directory plugin

This vulnerability allows attackers to gain access as administrative users, when Active Directory is configured to support

Jenkins Security Advisory 2012-01-12

Vulnerability in Jenkins Core

Jenkins Security Advisory 2011-11-08

Vulnerability in Jenkins Core

Jenkins Security Advisory 2011-10-28

Vulnerability in Jenkins OpenID plugin

This vulnerability allowed malicious users to assume the identity of arbitrary users without going through the proper OpenID

Jenkins Security Advisory 2011-10-20

Vulnerability in Jenkins Active Directory plugin

This vulnerability allowed malicious users to assume the identity of arbitrary users. This affects the Active directory plugin