S3 publisher Plugin
Source repositories
CVEs (25)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-34786 | 0.01 | — | 0.09 | Jun 30, 2022 | Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | |||
| CVE-2025-53651 | 0.00 | — | 0.01 | Jul 9, 2025 | Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. | |||
| CVE-2024-28151 | 0.00 | — | 0.00 | Mar 6, 2024 | Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists,… | |||
| CVE-2024-28150 | 0.00 | — | 0.00 | Mar 6, 2024 | Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||
| CVE-2024-28149 | 0.00 | — | 0.00 | Mar 6, 2024 | Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists. | |||
| CVE-2023-37959 | 0.00 | — | 0.00 | Jul 12, 2023 | A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||
| CVE-2023-37958 | 0.00 | — | 0.00 | Jul 12, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL. | |||
| CVE-2023-28682 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2022-41232 | 0.00 | — | 0.00 | Sep 21, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint. | |||
| CVE-2022-41230 | 0.00 | — | 0.00 | Sep 21, 2022 | Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for… | |||
| CVE-2022-41231 | 0.00 | — | 0.00 | Sep 21, 2022 | Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. | |||
| CVE-2022-34213 | 0.00 | — | 0.00 | Jun 22, 2022 | Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-25199 | 0.00 | — | 0.00 | Feb 15, 2022 | A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials. | |||
| CVE-2022-25198 | 0.00 | — | 0.00 | Feb 15, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. | |||
| CVE-2021-43578 | 0.00 | — | 0.00 | Nov 12, 2021 | Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file… | |||
| CVE-2021-21651 | 0.00 | — | 0.00 | May 11, 2021 | Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles. | |||
| CVE-2021-21650 | 0.00 | — | 0.00 | May 11, 2021 | Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission… | |||
| CVE-2020-2114 | 0.00 | — | 0.00 | Feb 12, 2020 | Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||
| CVE-2019-10432 | 0.00 | — | 0.00 | Oct 1, 2019 | Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those. | |||
| CVE-2019-10426 | 0.00 | — | 0.00 | Sep 25, 2019 | Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
- CVE-2022-34786Jun 30, 2022risk 0.01cvss —epss 0.09
Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
- CVE-2025-53651Jul 9, 2025risk 0.00cvss —epss 0.01
Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.
- CVE-2024-28151Mar 6, 2024risk 0.00cvss —epss 0.00
Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists,…
- CVE-2024-28150Mar 6, 2024risk 0.00cvss —epss 0.00
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
- CVE-2024-28149Mar 6, 2024risk 0.00cvss —epss 0.00
Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.
- CVE-2023-37959Jul 12, 2023risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
- CVE-2023-37958Jul 12, 2023risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL.
- CVE-2023-28682Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2022-41232Sep 21, 2022risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.
- CVE-2022-41230Sep 21, 2022risk 0.00cvss —epss 0.00
Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for…
- CVE-2022-41231Sep 21, 2022risk 0.00cvss —epss 0.00
Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.
- CVE-2022-34213Jun 22, 2022risk 0.00cvss —epss 0.00
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-25199Feb 15, 2022risk 0.00cvss —epss 0.00
A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
- CVE-2022-25198Feb 15, 2022risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
- CVE-2021-43578Nov 12, 2021risk 0.00cvss —epss 0.00
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file…
- CVE-2021-21651May 11, 2021risk 0.00cvss —epss 0.00
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.
- CVE-2021-21650May 11, 2021risk 0.00cvss —epss 0.00
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission…
- CVE-2020-2114Feb 12, 2020risk 0.00cvss —epss 0.00
Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2019-10432Oct 1, 2019risk 0.00cvss —epss 0.00
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
- CVE-2019-10426Sep 25, 2019risk 0.00cvss —epss 0.00
Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
Page 1 of 2