This advisory announces vulnerabilities in the following Jenkins deliverables:
ircbot
IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
aws-beanstalk-publisher-plugin
AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
hockeyapp
HockeyApp Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
jenkins-jira-issue-updater
Jira Issue Updater Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
ftppublisher
FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
websphere-deployer
WebSphere Deployer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
bitbucket-approve
Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
ftppublisher
A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
zap
Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
jenkins-cloudformation-plugin
jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
aws-cloudwatch-logs-publisher
AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
snsnotify
Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
aws-device-farm
aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
cloudshare-docker
CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
bugzilla
Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
trac-publisher-plugin
Trac Publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
vmware-vrealize-automation-plugin
VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
aqua-security-scanner
Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
veracode-scanner
veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
octopusdeploy
Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
wildfly-deployer
WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
vsts-cd
VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
hyper-commons
Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
audit2db
Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
audit2db
A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
labmanager
A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
openshift-deployer
A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
gearman-plugin
A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
zephyr-enterprise-test-management
A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
sinatra-chef-builder
A missing permission check in a form validation method in sinatra-chef-builder Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
fabric-beta-publisher
fabric-beta-publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
upload-pgyer
Upload to pgyer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
cloudtest
A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
nomad
A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
open-stf
Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
perfectomobile
Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
TestFairy
TestFairy Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
crowd
Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
openid
A missing permission check in a form validation method in OpenID Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
starteam
starteam Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
jenkins-reviewbot
A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
assembla-auth
Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
relution-publisher
Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
klaros-testmanagement
Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
mabl-integration
mabl Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
diawi-upload
Diawi Upload Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
minio-storage
Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
deployhub
DeployHub Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
youtrack-plugin
youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml
on the Jenkins controller.
These credentials could be viewed by users with access to the Jenkins controller file system.
youtrack-plugin Plugin now stores credentials encrypted.
jabber-server-plugin
Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
netsparker-cloud-scan
A missing permission check in a form validation method in Netsparker Enterprise Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.
Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.
netsparker-cloud-scan
Netsparker Enterprise Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml
on the Jenkins controller.
These API tokens could be viewed by users with access to the Jenkins controller file system.
Netsparker Enterprise Scan Plugin now stores API tokens encrypted.
kmap-jenkins
A missing permission check in a form validation method in kmap-jenkins Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
kmap-jenkins
kmap-jenkins Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
crittercism-dsym
crittercism-dsym Plugin stores credentials unencrypted in job config.xml
files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
sra-deploy
Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
sametime
Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
koji
Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
cloudcoreo-deploytime
CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml
on the Jenkins controller.
These credentials can be viewed by users with access to the Jenkins controller file system.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: