Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Nov 2017 08:26:09 +0100
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins plugins

> On 23. Oct 2017, at 14:20, Daniel Beck <> wrote:
> Active Choices plugin allowed users with Job/Configure permission to
> provide arbitrary HTML to be shown on the Build With Parameters page
> through the Active Choices Reactive Reference Parameter type. This could
> include, for example, arbitrary JavaScript.


> Some URLs provided by global-build-stats plugin returned a JSON response 
> that contained request parameters. These responses had the 
> Content-Type: text/html, so could have been interpreted as HTML by clients,
> resulting in a potential reflected cross-site scripting vulnerability.
> Additionally, some URLs provided by global-build-stats plugin that modify 
> data did not require POST requests to be sent, resulting in a potential 
> cross-site request forgery vulnerability.


> Dependency Graph Viewer plugin did not perform permission checks for the 
> API endpoint that modifies the dependency graph, allowing anyone with 
> Overall/Read permission to modify this data.


> Build-Publisher plugin stores credentials to other Jenkins instances in the 
> file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins 
> master home directory. These credentials were stored unencrypted, allowing 
> anyone with local file system access to access them.
> Additionally, the credentials were also transmitted in plain text as part 
> of the configuration form. This could result in exposure of the API key 
> through browser extensions, cross-site scripting vulnerabilities, and 
> similar situations.


> JENKINS-36333
> Multijob plugin did not check permissions in the Resume Build action, 
> allowing anyone with Job/Read permission to resume the build.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ