Jenkins
Sign in to watchby Jenkinsci
Source repositories
CVEs (5)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67639 | 0.00 | — | 0.00 | Dec 10, 2025 | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account. | ||
| CVE-2025-67638 | 0.00 | — | 0.00 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||
| CVE-2025-67637 | 0.00 | — | 0.00 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||
| CVE-2025-67636 | 0.00 | — | 0.00 | Dec 10, 2025 | A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. | ||
| CVE-2025-67635 | 0.00 | — | 0.00 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. |