Terminology

This page provides a quick overview of commonly used security terms in Jenkins and its documentation. While not exhaustive, it aims to clarify terminology used in security advisories and security-related documentation on this site.

General

Attack: As a noun, an attack is a deliberate attempt to exploit a vulnerability to compromise the confidentiality, integrity, or availability of a system. As a verb, it means to perform actions intended to compromise, damage, or gain unauthorized access to a system.
Attacker: An attacker is an individual, program, or group that attempts to exploit vulnerabilities in a system.
Crafted: In vulnerability descriptions, "crafted" refers to input or data that has been intentionally designed or manipulated by an attacker to trigger a vulnerability.
Exploit: As a noun, an exploit is software, code, or a sequence of instructions that leverages a vulnerability to perform an attack. As a verb, it means to take advantage of a specific vulnerability in a system.
Fix: A fix is a code or configuration change that removes a vulnerability, thereby preventing it from being exploited.
Mitigation: A mitigation is a security measure or control that reduces the chances of a vulnerability being exploited, or lessens the damage if it is. Unlike a fix, a mitigation does not necessarily eliminate the vulnerability.
Vulnerability: A vulnerability is a flaw or weakness that could be leveraged by an attacker to perform unauthorized actions with a security impact.

Vulnerabilities

Command Injection: Command injection (or OS command injection) is a vulnerability that occurs when an application constructs and executes OS shell commands using unsafe user input.
Cross-Site Request Forgery (CSRF): CSRF attacks trick a user’s browser into performing unwanted actions in a web application they are logged into, often without the user’s knowledge. Learn more.
Cross-Site Scripting (XSS): XSS vulnerabilities allow an attacker to inject malicious scripts into web pages viewed by other users. These scripts run within the victim’s web browser and can steal sensitive data, hijack sessions, modify content, or perform unauthorized actions on behalf of the user. Learn more.
Disclosure: Disclosure refers to a type of vulnerability where sensitive information becomes accessible to unauthorized actors.

Path Traversal: A path traversal vulnerability allows an attacker to access files and directories that are stored outside the intended directory. This is typically achieved by manipulating file path parameters, such as using ../ sequences, to traverse the filesystem and access sensitive resources such as configuration files or cryptographic secrets. Learn more.
Remote Code Execution (RCE): RCE is the ability of an attacker to run arbitrary code on a target system remotely, typically as a result of exploiting a vulnerability. In Jenkins security advisories, this generally refers to executing code inside the Jenkins JVM, as opposed to (OS) command injection, which generally refers to shell command invocations. Each can usually be used to achieve the other, resulting in an equivalent complete compromise of Jenkins. Note that Jenkins administrators have access to the Script Console, a feature of comparable power.

Server-Side Request Forgery (SSRF): SSRF is a vulnerability in which an attacker tricks the server into making unauthorized requests to internal resources or third-party services, potentially leading to data exposure or unauthorized access.
XML External Entity (XXE): An XXE vulnerability occurs when an XML parser processes an external entity reference within an XML document. This can enable attackers to read local files (see Path Traversal), perform server-side request forgery (see Server-Side Request Forgery), or execute denial-of-service attacks, depending on the system configuration. Learn more.