This advisory announces vulnerabilities in the following Jenkins deliverables:
IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
HockeyApp Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Jira Issue Updater Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
WebSphere Deployer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Trac Publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
A missing permission check in a form validation method in sinatra-chef-builder Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
fabric-beta-publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Upload to pgyer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
TestFairy Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
A missing permission check in a form validation method in OpenID Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
starteam Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
mabl Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Diawi Upload Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
DeployHub Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml
on the Jenkins controller.
These credentials could be viewed by users with access to the Jenkins controller file system.
youtrack-plugin Plugin now stores credentials encrypted.
Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
A missing permission check in a form validation method in Netsparker Enterprise Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.
Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.
Netsparker Enterprise Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml
on the Jenkins controller.
These API tokens could be viewed by users with access to the Jenkins controller file system.
Netsparker Enterprise Scan Plugin now stores API tokens encrypted.
A missing permission check in a form validation method in kmap-jenkins Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
kmap-jenkins Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
crittercism-dsym Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: