Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-spe…
[org.jenkins-ci.plugins:xframium] Jenkins XFramium Builder Plugin disables Content-Security-Policy protection for user-generated content
Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
References
https://nvd.nist.gov/vuln/d…
[com.compuware.jenkins:compuware-strobe-measurement] Jenkins Compuware Strobe Measurement Plugin Missing Authorization vulnerability
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
References
https://nv…
[org.jenkins-ci.plugins.workflow:workflow-cps] Jenkins Pipeline: Groovy Plugin allows sandbox protection bypass and arbitrary code execution
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, includi…
[o.jenkins.plugins:pipeline-groovy-lib] Jenkins Pipeline: Groovy Libraries Plugin vulnerable to Protection Mechanism Failure
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass t…
[org.jenkins-ci.plugins.workflow:workflow-cps-global-lib] Jenkins Pipeline: Deprecated Groovy Libraries Plugin vulnerable to Protection Mechanism Failure
A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, …
[org.jenkins-ci.plugins:script-security] Jenkins Script Security Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, includ…
[org.jenkins-ci.plugins:script-security] Jenkins Script Security Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed …
[org.jenkins-ci.plugins:script-security] Jenkins Script Security Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to byp…
[org.jenkins-ci.plugins:katalon] Jenkins Katalon Plugin vulnerable to Protection Mechanism Failure
Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon …