Jenkins: >> Pipeline >> _build_step Security Vulnerabilities
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.
CVSS Score
5.4
EPSS Score
0.299
Published
2023-02-15
Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.
CVSS Score
6.5
EPSS Score
0.009
Published
2022-02-15
Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.
CVSS Score
5.3
EPSS Score
0.0
Published
2017-10-05