Jenkins Project
Products
718- 207 CVEs
- 47 CVEs
- 33 CVEs
- 29 CVEs
- 25 CVEs
- 22 CVEs
- 19 CVEs
- 19 CVEs
- 17 CVEs
- 15 CVEs
- 14 CVEs
- 13 CVEs
- 12 CVEs
- 11 CVEs
- 10 CVEs
- 10 CVEs
- 10 CVEs
- 9 CVEs
- 9 CVEs
- 9 CVEs
- 9 CVEs
- 9 CVEs
- 9 CVEs
- 8 CVEs
- 8 CVEs
- 8 CVEs
- 8 CVEs
- 8 CVEs
- 7 CVEs
- 7 CVEs
- View all 718 products →
Recent CVEs
1,579| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-9299 | Cri | 0.68 | 9.8 | 0.97 | Jan 12, 2017 | The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | ||
| CVE-2015-8103 | Cri | 0.67 | 9.8 | 0.87 | Nov 25, 2015 | The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in… | ||
| CVE-2023-44487 | Hig | 0.65 | 7.5 | 1.00 | KEV | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |
| CVE-2019-10458 | Cri | 0.65 | 9.9 | 0.02 | Oct 16, 2019 | Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code. | ||
| CVE-2019-1003032 | Cri | 0.65 | 9.9 | 0.02 | Mar 8, 2019 | A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java,… | ||
| CVE-2023-49656 | Cri | 0.64 | 9.8 | 0.01 | Nov 29, 2023 | Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2023-49654 | Cri | 0.64 | 9.8 | 0.01 | Nov 29, 2023 | Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system. | ||
| CVE-2023-28677 | Cri | 0.64 | 9.8 | 0.01 | Apr 2, 2023 | Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to… | ||
| CVE-2023-24444 | Cri | 0.64 | 9.8 | 0.01 | Jan 26, 2023 | Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. | ||
| CVE-2022-45400 | Cri | 0.64 | 9.8 | 0.01 | Nov 15, 2022 | Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2022-45396 | Cri | 0.64 | 9.8 | 0.01 | Nov 15, 2022 | Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2022-45395 | Cri | 0.64 | 9.8 | 0.01 | Nov 15, 2022 | Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2022-43406 | Cri | 0.64 | 9.9 | 0.01 | Oct 19, 2022 | A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox… | ||
| CVE-2022-43405 | Cri | 0.64 | 9.9 | 0.01 | Oct 19, 2022 | A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and… | ||
| CVE-2022-43404 | Cri | 0.64 | 9.9 | 0.01 | Oct 19, 2022 | A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including… | ||
| CVE-2022-43403 | Cri | 0.64 | 9.9 | 0.01 | Oct 19, 2022 | A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection… | ||
| CVE-2022-43402 | Cri | 0.64 | 9.9 | 0.01 | Oct 19, 2022 | A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the… | ||
| CVE-2022-43401 | Cri | 0.64 | 9.9 | 0.01 | Oct 19, 2022 | A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass… | ||
| CVE-2022-41238 | Cri | 0.64 | 9.8 | 0.01 | Sep 21, 2022 | A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits. | ||
| CVE-2022-41237 | Cri | 0.64 | 9.8 | 0.01 | Sep 21, 2022 | Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
- risk 0.68cvss 9.8epss 0.97
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
- risk 0.67cvss 9.8epss 0.87
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in…
- risk 0.65cvss 7.5epss 1.00
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- risk 0.65cvss 9.9epss 0.02
Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
- risk 0.65cvss 9.9epss 0.02
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java,…
- risk 0.64cvss 9.8epss 0.01
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.64cvss 9.8epss 0.01
Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.
- risk 0.64cvss 9.8epss 0.01
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to…
- risk 0.64cvss 9.8epss 0.01
Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
- risk 0.64cvss 9.8epss 0.01
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.64cvss 9.8epss 0.01
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.64cvss 9.8epss 0.01
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.64cvss 9.9epss 0.01
A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox…
- risk 0.64cvss 9.9epss 0.01
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and…
- risk 0.64cvss 9.9epss 0.01
A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including…
- risk 0.64cvss 9.9epss 0.01
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection…
- risk 0.64cvss 9.9epss 0.01
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the…
- risk 0.64cvss 9.9epss 0.01
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass…
- risk 0.64cvss 9.8epss 0.01
A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.
- risk 0.64cvss 9.8epss 0.01
Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.