VYPR

Jenkins Xp Dev Plugin

by Jenkins Project

CVEs (22)

  • CVE-2022-41238CriSep 21, 2022
    risk 0.64cvss 9.8epss 0.01

    A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

  • CVE-2022-41237CriSep 21, 2022
    risk 0.64cvss 9.8epss 0.01

    Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2019-1003034CriMar 8, 2019
    risk 0.58cvss 9.9epss 0.03

    A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy,…

  • CVE-2022-34181CriJun 23, 2022
    risk 0.52cvss 9.1epss 0.01

    Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the…

  • CVE-2019-10453HigOct 16, 2019
    risk 0.51cvss 7.8epss 0.00

    Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10340HigJul 11, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another…

  • CVE-2025-53676MedJul 9, 2025
    risk 0.42cvss 6.5epss 0.00

    Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-40345MedAug 16, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.

  • CVE-2022-41239MedSep 21, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2022-25204MedFeb 15, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists.

  • CVE-2019-10341MedJul 11, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2025-53677MedJul 9, 2025
    risk 0.34cvss 5.3epss 0.00

    Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2022-45389MedNov 15, 2022
    risk 0.34cvss 5.3epss 0.01

    A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

  • CVE-2023-40344MedAug 16, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2019-10342MedJul 11, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2024-28161MedMar 6, 2024
    risk 0.27cvss 5.3epss 0.00

    In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default.

  • CVE-2023-2631MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2023-2195MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2023-2633MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-2632MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.01

    Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Page 1 of 2