VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2016-9299CriJan 12, 2017
    risk 0.68cvss 9.8epss 0.97

    The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

  • CVE-2015-8103CriNov 25, 2015
    risk 0.67cvss 9.8epss 0.87

    The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in…

  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2019-10458CriOct 16, 2019
    risk 0.65cvss 9.9epss 0.02

    Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

  • CVE-2019-1003032CriMar 8, 2019
    risk 0.65cvss 9.9epss 0.02

    A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java,…

  • CVE-2023-49656CriNov 29, 2023
    risk 0.64cvss 9.8epss 0.01

    Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-49654CriNov 29, 2023
    risk 0.64cvss 9.8epss 0.01

    Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.

  • CVE-2023-28677CriApr 2, 2023
    risk 0.64cvss 9.8epss 0.01

    Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to…

  • CVE-2023-24444CriJan 26, 2023
    risk 0.64cvss 9.8epss 0.01

    Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

  • CVE-2022-45400CriNov 15, 2022
    risk 0.64cvss 9.8epss 0.01

    Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45396CriNov 15, 2022
    risk 0.64cvss 9.8epss 0.01

    Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45395CriNov 15, 2022
    risk 0.64cvss 9.8epss 0.01

    Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-43406CriOct 19, 2022
    risk 0.64cvss 9.9epss 0.01

    A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox…

  • CVE-2022-43405CriOct 19, 2022
    risk 0.64cvss 9.9epss 0.01

    A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and…

  • CVE-2022-43404CriOct 19, 2022
    risk 0.64cvss 9.9epss 0.01

    A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including…

  • CVE-2022-43403CriOct 19, 2022
    risk 0.64cvss 9.9epss 0.01

    A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection…

  • CVE-2022-43402CriOct 19, 2022
    risk 0.64cvss 9.9epss 0.01

    A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the…

  • CVE-2022-43401CriOct 19, 2022
    risk 0.64cvss 9.9epss 0.01

    A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass…

  • CVE-2022-41238CriSep 21, 2022
    risk 0.64cvss 9.8epss 0.01

    A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

  • CVE-2022-41237CriSep 21, 2022
    risk 0.64cvss 9.8epss 0.01

    Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2019-10418CriSep 25, 2019
    risk 0.64cvss 9.9epss 0.01

    Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

  • CVE-2019-10417CriSep 25, 2019
    risk 0.64cvss 9.9epss 0.01

    Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

  • CVE-2019-11350CriApr 19, 2019
    risk 0.64cvss 9.8epss 0.02

    CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.

  • CVE-2017-1000245CriNov 1, 2017
    risk 0.64cvss 9.8epss 0.01

    The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.

  • CVE-2016-0791CriApr 7, 2016
    risk 0.64cvss 9.8epss 0.03

    Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

  • CVE-2023-27905CriMar 10, 2023
    risk 0.63cvss 9.6epss 0.02

    Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.

  • CVE-2019-10309CriApr 30, 2019
    risk 0.61cvss 9.3epss 0.02

    Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm…

  • CVE-2016-0792HigApr 7, 2016
    risk 0.60cvss 8.8epss 0.83

    Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

  • CVE-2026-42523CriApr 29, 2026
    risk 0.59cvss 9.0epss 0.00

    Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous…

  • CVE-2022-41241CriSep 21, 2022
    risk 0.59cvss 9.1epss 0.01

    Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21669CriJun 18, 2021
    risk 0.59cvss 9.8epss 0.26

    Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2019-1003015CriFeb 6, 2019
    risk 0.59cvss 9.1epss 0.02

    An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of…

  • CVE-2021-21659HigMay 25, 2021
    risk 0.58cvss 8.1epss 0.67

    Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2279CriSep 23, 2020
    risk 0.58cvss 9.9epss 0.02

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.

  • CVE-2019-10431CriOct 1, 2019
    risk 0.58cvss 9.9epss 0.03

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2019-10328CriMay 31, 2019
    risk 0.58cvss 9.9epss 0.02

    Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

  • CVE-2019-10306CriApr 18, 2019
    risk 0.58cvss 9.9epss 0.02

    A sandbox bypass vulnerability in Jenkins ontrack Plugin 3.4 and earlier allowed attackers with control over ontrack DSL definitions to execute arbitrary code on the Jenkins master JVM.

  • CVE-2019-1003034CriMar 8, 2019
    risk 0.58cvss 9.9epss 0.03

    A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy,…

  • CVE-2019-1003031CriMar 8, 2019
    risk 0.58cvss 9.9epss 0.03

    A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.

  • CVE-2016-0788CriApr 7, 2016
    risk 0.58cvss 9.8epss 0.12

    The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

  • CVE-2026-53435HigJun 10, 2026
    risk 0.57cvss 8.8epss 0.15

    In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.…

  • CVE-2026-48920HigMay 27, 2026
    risk 0.57cvss 8.8epss 0.00

    Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify…

  • CVE-2023-50778HigDec 13, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token.

  • CVE-2023-49673HigNov 29, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

  • CVE-2023-49655HigNov 29, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.

  • CVE-2023-43500HigSep 20, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

  • CVE-2023-41945HigSep 6, 2023
    risk 0.57cvss 8.8epss 0.01

    Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

  • CVE-2023-41939HigSep 6, 2023
    risk 0.57cvss 8.8epss 0.01

    Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

  • CVE-2023-40341HigAug 16, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

  • CVE-2023-40336HigAug 16, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.

Page 1 of 32