Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller fi…
[com.compuware.jenkins:compuware-strobe-measurement] Jenkins Compuware Strobe Measurement Plugin Missing Authorization vulnerability
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
References
https://nv…
[com.compuware.jenkins:compuware-topaz-for-total-test] Jenkins Compuware Topaz for Total Test Plugin vulnerable to Protection Mechanism Failure
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from …
[io.jenkins.plugins:screenrecorder] Jenkins ScreenRecorder Plugin disables Content-Security-Policy protection for user-generated content
Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
References
https://nvd.nist.gov/vuln/detail…
[org.jenkins-ci.plugins:xframium] Jenkins XFramium Builder Plugin disables Content-Security-Policy protection for user-generated content
Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
References
https://nvd.nist.gov/vuln/d…
[org.jenkins-ci.plugins:nunit] Jenkins NUnit Plugin vulnerable to Protection Mechanism Failure
Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-spe…
[com.compuware.jenkins:compuware-scm-downloader] Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin vulnerable to Protection Mechanism Failure
Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of …
[org.jenkins-ci.plugins.workflow:workflow-support] Jenkins Pipeline: Supporting APIs Plugin vulnerable to stored Cross-site Scripting
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attacke…
[org.jenkins-ci.plugins.workflow:workflow-cps-global-lib] Jenkins Pipeline: Deprecated Groovy Libraries Plugin vulnerable to Protection Mechanism Failure
A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, …
[o.jenkins.plugins:pipeline-groovy-lib] Jenkins Pipeline: Groovy Libraries Plugin vulnerable to Protection Mechanism Failure
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass t…