Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34796: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE
#xss#csrf#vulnerability#web#cisco#git#java#xpath#ssrf#auth

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Build Notifications Plugin
  • build-metrics Plugin
  • Cisco Spark Plugin
  • Deployment Dashboard Plugin
  • Elasticsearch Query Plugin
  • eXtreme Feedback Panel Plugin
  • Failed Job Deactivator Plugin
  • GitLab Plugin
  • hpe-network-virtualization Plugin
  • Jigomerge Plugin
  • Matrix Reloaded Plugin
  • OpsGenie Plugin
  • Plot Plugin
  • Project Inheritance Plugin
  • Recipe Plugin
  • Request Rename Or Delete Plugin
  • requests-plugin Plugin
  • Rich Text Publisher Plugin
  • RocketChat Notifier Plugin
  • RQM Plugin
  • Skype notifier Plugin
  • TestNG Results Plugin
  • Validating Email Parameter Plugin
  • XebiaLabs XL Release Plugin
  • XPath Configuration Viewer Plugin

Descriptions****Stored XSS vulnerability in GitLab Plugin

SECURITY-2316 / CVE-2022-34777
Severity (CVSS): High
Affected plugin: gitlab-plugin
Description:

GitLab Plugin 1.5.34 and earlier does not escape multiple user-provided values shown as part of the build cause of webhook-triggered builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of webhook-triggered builds.

XSS vulnerability in TestNG Results Plugin

SECURITY-2788 / CVE-2022-34778
Severity (CVSS): High
Affected plugin: testng-plugin
Description:

TestNG Results Plugin has options in its post-build step configuration to not escape test descriptions and exception messages.

If those options are unchecked, TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped text provided in test results.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.

TestNG Results Plugin 555.va0d5f66521e3 by default ignores the user-level options to not escape content.

Administrators who want to restore this functionality must set the Java system property hudson.plugins.testng.Publisher.allowUnescapedHTML to true.

Missing permission checks in XebiaLabs XL Release Plugin allow enumerating credentials IDs

SECURITY-2773 (1) / CVE-2022-34779
Severity (CVSS): Medium
Affected plugin: xlrelease-plugin
Description:

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in XebiaLabs XL Release Plugin 22.0.1 requires Overall/Administer permission.

CSRF vulnerability and missing permission checks in XebiaLabs XL Release Plugin allow capturing credentials

SECURITY-2773 (2) / CVE-2022-34780 (CSRF), CVE-2022-34781 (missing authorization)
Severity (CVSS): Medium
Affected plugin: xlrelease-plugin
Description:

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

Incorrect permission check in requests-plugin Plugin allows viewing pending requests

SECURITY-2650 / CVE-2022-34782
Severity (CVSS): Medium
Affected plugin: requests
Description:

requests-plugin Plugin 2.2.16 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of pending requests.

This is basically the same vulnerability as SECURITY-1995, whose fix was ineffective.

requests-plugin Plugin 2.2.17 requires Overall/Administer permission to view the list of pending requests.

Stored XSS vulnerability in Plot Plugin

SECURITY-2220 / CVE-2022-34783
Severity (CVSS): High
Affected plugin: plot
Description:

Plot Plugin 2.1.10 and earlier does not escape plot descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Stored XSS vulnerability in build-metrics Plugin

SECURITY-1118 / CVE-2022-34784
Severity (CVSS): High
Affected plugin: build-metrics
Description:

build-metrics Plugin 1.3 does not escape the build description on one of its views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.

Missing permission checks in build-metrics Plugin

SECURITY-2643 / CVE-2022-34785
Severity (CVSS): Medium
Affected plugin: build-metrics
Description:

build-metrics Plugin 1.3 and earlier does not perform a permission check in multiple HTTP endpoints.

This allows attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them.

Stored XSS vulnerability in Rich Text Publisher Plugin

SECURITY-2332 / CVE-2022-34786
Severity (CVSS): High
Affected plugin: rich-text-publisher-plugin
Description:

Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

XSS vulnerability in Project Inheritance Plugin

SECURITY-1919 / CVE-2022-34787
Severity (CVSS): High
Affected plugin: project-inheritance
Description:

Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.

Stored XSS vulnerability in Matrix Reloaded Plugin

SECURITY-1926 / CVE-2022-34788
Severity (CVSS): High
Affected plugin: matrix-reloaded
Description:

Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

CSRF vulnerability in Matrix Reloaded Plugin

SECURITY-2016 / CVE-2022-34789
Severity (CVSS): Medium
Affected plugin: matrix-reloaded
Description:

Matrix Reloaded Plugin 1.1.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild previous matrix builds.

Stored XSS vulnerability in eXtreme Feedback Panel Plugin

SECURITY-1939 / CVE-2022-34790
Severity (CVSS): High
Affected plugin: xfpanel
Description:

eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Stored XSS vulnerability in Validating Email Parameter Plugin

SECURITY-2165 / CVE-2022-34791
Severity (CVSS): High
Affected plugin: validating-email-parameter
Description:

Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type.

Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the “Build With Parameters” and “Parameters” pages from vulnerabilities like this by default.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CSRF vulnerability and missing permission checks in Recipe Plugin allow XXE

SECURITY-2000 / CVE-2022-34792 (CSRF), CVE-2022-34793 (XXE), CVE-2022-34794 (missing permission check)
Severity (CVSS): High
Affected plugin: recipe
Description:

Recipe Plugin 1.2 and earlier does not perform a permission check in multiple HTTP endpoints.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Additionally, the plugin allows users to export the full configuration of jobs as part of a recipe, granting access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.

Stored XSS vulnerability in Deployment Dashboard Plugin

SECURITY-2799 / CVE-2022-34795
Severity (CVSS): High
Affected plugin: ec2-deployment-dashboard
Description:

Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

Missing permission checks in Deployment Dashboard Plugin allow enumerating credentials IDs

SECURITY-2798 (1) / CVE-2022-34796
Severity (CVSS): Medium
Affected plugin: ec2-deployment-dashboard
Description:

Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

CSRF vulnerability and missing permission checks in Deployment Dashboard Plugin

SECURITY-2798 (2) / CVE-2022-34797 (CSRF), CVE-2022-34798 (missing authorization)
Severity (CVSS): Medium
Affected plugin: ec2-deployment-dashboard
Description:

Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Password stored in plain text by Deployment Dashboard Plugin

SECURITY-2070 / CVE-2022-34799
Severity (CVSS): Low
Affected plugin: ec2-deployment-dashboard
Description:

Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file de.codecentric.jenkins.dashboard.DashboardView.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

Tokens stored in plain text by Build Notifications Plugin

SECURITY-2056 / CVE-2022-34800 (storage), CVE-2022-34801 (transmission)
Severity (CVSS): Low
Affected plugin: build-notifications
Description:

Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration:

  • Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml

  • Slack Bot Token in tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml

  • Telegram Bot Token in tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml

Additionally, they are transmitted in plain text as part of the global configuration form.

These tokens can be viewed by users with access to the Jenkins controller file system.

Secrets stored in plain text by RocketChat Notifier Plugin

SECURITY-2088 / CVE-2022-34802
Severity (CVSS): Low
Affected plugin: rocketchatnotifier
Description:

RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml on the Jenkins controller as part of its configuration.

These secrets can be viewed by users with access to the Jenkins controller file system.

API Key stored in plain text by OpsGenie Plugin

SECURITY-1877 / CVE-2022-34803 (storage), CVE-2022-34804 (transmission)
Severity (CVSS): Medium
Affected plugin: opsgenie
Description:

OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration.

Additionally, they are transmitted in plain text as part of the respective configuration forms.

These API keys can be viewed by users with Item/Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

Password stored in plain text by Skype notifier Plugin

SECURITY-2160 / CVE-2022-34805
Severity (CVSS): Low
Affected plugin: skype-notifier
Description:

Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

Password stored in plain text by Jigomerge Plugin

SECURITY-2083 / CVE-2022-34806
Severity (CVSS): Low
Affected plugin: jigomerge
Description:

Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Password stored in plain text by Elasticsearch Query Plugin

SECURITY-2073 / CVE-2022-34807
Severity (CVSS): Low
Affected plugin: elasticsearch-query
Description:

Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file org.jenkinsci.plugins.elasticsearchquery.ElasticsearchQueryBuilder.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

Token stored in plain text by Cisco Spark Plugin

SECURITY-2055 / CVE-2022-34808
Severity (CVSS): Low
Affected plugin: cisco-spark
Description:

Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file org.jenkinsci.plugins.spark.SparkNotifier.xml on the Jenkins controller as part of its configuration.

These bearer tokens can be viewed by users with access to the Jenkins controller file system.

Password stored in plain text by RQM Plugin

SECURITY-2155 / CVE-2022-34809
Severity (CVSS): Low
Affected plugin: rqm-plugin
Description:

RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file net.praqma.jenkins.rqm.RqmBuilder.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

Missing permission check in RQM Plugin allows enumerating credentials IDs

SECURITY-2806 / CVE-2022-34810
Severity (CVSS): Medium
Affected plugin: rqm-plugin
Description:

RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

Missing permission check in XPath Configuration Viewer Plugin allows accessing XPath Configuration Viewer page

SECURITY-2002 / CVE-2022-34811
Severity (CVSS): Medium
Affected plugin: xpath-config-viewer
Description:

XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.

CSRF vulnerability and missing permission checks in XPath Configuration Viewer Plugin

SECURITY-2658 / CVE-2022-34812 (CSRF), CVE-2022-34813 (missing permission check)
Severity (CVSS): Medium
Affected plugin: xpath-config-viewer
Description:

XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to create and delete XPath expressions.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Incorrect permission check in Request Rename Or Delete Plugin

SECURITY-1996 / CVE-2022-34814
Severity (CVSS): Medium
Affected plugin: rrod
Description:

Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative configuration page listing pending requests.

CSRF vulnerability in Request Rename Or Delete Plugin

SECURITY-2657 / CVE-2022-34815
Severity (CVSS): Medium
Affected plugin: rrod
Description:

Request Rename Or Delete Plugin 1.1.0 and earlier does not require POST requests for HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to accept pending requests, thereby renaming or deleting jobs.

Passwords stored in plain text by hpe-network-virtualization Plugin

SECURITY-2080 / CVE-2022-34816
Severity (CVSS): Low
Affected plugin: hpe-network-virtualization
Description:

hpe-network-virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission checks in Failed Job Deactivator Plugin allow disabling jobs

SECURITY-2061 / CVE-2022-34817 (CSRF), CVE-2022-34818 (missing authorization)
Severity (CVSS): Medium
Affected plugin: failedJobDeactivator
Description:

Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints.

This allows attackers with Overall/Read permission to disable jobs.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This CSRF vulnerability is only exploitable in Jenkins 2.286 and earlier, LTS 2.277.1 and earlier. See the LTS upgrade guide.

Severity

  • SECURITY-1118: High
  • SECURITY-1877: Medium
  • SECURITY-1919: High
  • SECURITY-1926: High
  • SECURITY-1939: High
  • SECURITY-1996: Medium
  • SECURITY-2000: High
  • SECURITY-2002: Medium
  • SECURITY-2016: Medium
  • SECURITY-2055: Low
  • SECURITY-2056: Low
  • SECURITY-2061: Medium
  • SECURITY-2070: Low
  • SECURITY-2073: Low
  • SECURITY-2080: Low
  • SECURITY-2083: Low
  • SECURITY-2088: Low
  • SECURITY-2155: Low
  • SECURITY-2160: Low
  • SECURITY-2165: High
  • SECURITY-2220: High
  • SECURITY-2316: High
  • SECURITY-2332: High
  • SECURITY-2643: Medium
  • SECURITY-2650: Medium
  • SECURITY-2657: Medium
  • SECURITY-2658: Medium
  • SECURITY-2773 (1): Medium
  • SECURITY-2773 (2): Medium
  • SECURITY-2788: High
  • SECURITY-2798 (1): Medium
  • SECURITY-2798 (2): Medium
  • SECURITY-2799: High
  • SECURITY-2806: Medium

Affected Versions

  • Build Notifications Plugin up to and including 1.5.0
  • build-metrics Plugin up to and including 1.3
  • Cisco Spark Plugin up to and including 1.1.1
  • Deployment Dashboard Plugin up to and including 1.0.10
  • Elasticsearch Query Plugin up to and including 1.2
  • eXtreme Feedback Panel Plugin up to and including 2.0.1
  • Failed Job Deactivator Plugin up to and including 1.2.1
  • GitLab Plugin up to and including 1.5.34
  • hpe-network-virtualization Plugin up to and including 1.0
  • Jigomerge Plugin up to and including 0.9
  • Matrix Reloaded Plugin up to and including 1.1.3
  • OpsGenie Plugin up to and including 1.9
  • Plot Plugin up to and including 2.1.10
  • Project Inheritance Plugin up to and including 21.04.03
  • Recipe Plugin up to and including 1.2
  • Request Rename Or Delete Plugin up to and including 1.1.0
  • requests-plugin Plugin up to and including 2.2.16
  • Rich Text Publisher Plugin up to and including 1.4
  • RocketChat Notifier Plugin up to and including 1.5.2
  • RQM Plugin up to and including 2.8
  • Skype notifier Plugin up to and including 1.1.0
  • TestNG Results Plugin up to and including 554.va4a552116332
  • Validating Email Parameter Plugin up to and including 1.10
  • XebiaLabs XL Release Plugin up to and including 22.0.0
  • XPath Configuration Viewer Plugin up to and including 1.1.1

Fix

  • GitLab Plugin should be updated to version 1.5.35
  • requests-plugin Plugin should be updated to version 2.2.17
  • TestNG Results Plugin should be updated to version 555.va0d5f66521e3
  • XebiaLabs XL Release Plugin should be updated to version 22.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Build Notifications Plugin
  • build-metrics Plugin
  • Cisco Spark Plugin
  • Deployment Dashboard Plugin
  • Elasticsearch Query Plugin
  • eXtreme Feedback Panel Plugin
  • Failed Job Deactivator Plugin
  • hpe-network-virtualization Plugin
  • Jigomerge Plugin
  • Matrix Reloaded Plugin
  • OpsGenie Plugin
  • Plot Plugin
  • Project Inheritance Plugin
  • Recipe Plugin
  • Request Rename Or Delete Plugin
  • Rich Text Publisher Plugin
  • RocketChat Notifier Plugin
  • RQM Plugin
  • Skype notifier Plugin
  • Validating Email Parameter Plugin
  • XPath Configuration Viewer Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1118, SECURITY-2061
  • Justin Philip, Kevin Guerroudj, Marc Heyries for SECURITY-2332
  • Kevin Guerroudj for SECURITY-2220
  • Kevin Guerroudj, CloudBees, Inc. for SECURITY-2643, SECURITY-2650, SECURITY-2657, SECURITY-2658, SECURITY-2798 (1), SECURITY-2798 (2), SECURITY-2799, SECURITY-2806
  • Kevin Guerroudj, Marc Heyries, Justin Philip, Wadeck Follonier, CloudBees, Inc. for SECURITY-2316
  • Long Nguyen, Viettel Cyber Security for SECURITY-2055, SECURITY-2056, SECURITY-2070, SECURITY-2073, SECURITY-2080, SECURITY-2083
  • Long Nguyen, Viettel Cyber Security and, independently, Son Nguyen (@s0nnguy3n_), and Marc Heyries for SECURITY-2088
  • Matt Sicker, ClouBees, Inc., Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc. for SECURITY-2000
  • Matt Sicker, CloudBees, Inc. for SECURITY-1996, SECURITY-2002
  • Son Nguyen (@s0nnguy3n_) for SECURITY-2155, SECURITY-2160
  • Son Nguyen (@s0nnguy3n_), and independently, Kevin Guerroudj for SECURITY-2165
  • Valdes Che Zogou, CloudBees, Inc. for SECURITY-2773 (1), SECURITY-2773 (2), SECURITY-2788
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1919, SECURITY-1926, SECURITY-1939, SECURITY-2016
  • github.com/jetersen for SECURITY-1877

Related news

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34795: Jenkins Security Advisory 2022-06-30

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

CVE-2022-34814: Jenkins Security Advisory 2022-06-30

Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests.

CVE-2022-34778: Jenkins Security Advisory 2022-06-30

Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34789: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34813: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34782: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

CVE-2022-34177: Jenkins Security Advisory 2022-06-22

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

CVE-2022-29048: Jenkins Security Advisory 2022-04-12

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2022-29046: Jenkins Security Advisory 2022-04-12

Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2017-2599: Jenkins Security Advisory 2017-02-01

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907