VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2022-34177HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related…

  • CVE-2022-34175HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.

  • CVE-2022-34174HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database…

  • CVE-2022-30959MedMay 17, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-30948HigMay 17, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

  • CVE-2022-30947HigMay 17, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

  • CVE-2022-27216MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-27211MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2022-27210MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2022-27209MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-27208MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.02

    Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller.

  • CVE-2022-27206MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-27203MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.02

    Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

  • CVE-2022-27201MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file…

  • CVE-2022-25201MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-25186MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

  • CVE-2022-25178MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.02

    Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

  • CVE-2022-25177MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.02

    Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files…

  • CVE-2022-25176MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.02

    Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read…

  • CVE-2022-0538HigFeb 9, 2022
    risk 0.42cvss 7.5epss 0.04

    Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.

  • CVE-2021-43576MedNov 12, 2021
    risk 0.42cvss 6.5epss 0.02

    Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets…

  • CVE-2021-21698HigNov 4, 2021
    risk 0.42cvss 7.5epss 0.02

    Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

  • CVE-2021-21688HigNov 4, 2021
    risk 0.42cvss 7.5epss 0.01

    The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).

  • CVE-2021-21671HigJun 30, 2021
    risk 0.42cvss 7.5epss 0.02

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

  • CVE-2021-21618MedFeb 24, 2021
    risk 0.42cvss 5.4epss 0.82

    Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2020-2324HigDec 3, 2020
    risk 0.42cvss 7.5epss 0.01

    Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2319MedNov 4, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2318MedNov 4, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2020-2312MedNov 4, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.

  • CVE-2020-2298MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2295MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin.

  • CVE-2020-2294MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

  • CVE-2020-2293MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

  • CVE-2020-2278MedSep 16, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content.

  • CVE-2020-2277MedSep 16, 2020
    risk 0.42cvss 6.5epss 0.02

    Jenkins Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

  • CVE-2020-2250MedSep 1, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2020-2247MedSep 1, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2232HigAug 12, 2020
    risk 0.42cvss 7.5epss 0.01

    Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure.

  • CVE-2020-2198MedJun 3, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.

  • CVE-2020-2164MedMar 25, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2133MedFeb 12, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2131MedFeb 12, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2130MedFeb 12, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2129MedFeb 12, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2114HigFeb 12, 2020
    risk 0.42cvss 7.5epss 0.01

    Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-16576MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes…

  • CVE-2019-16574MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2019-16566MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-16556MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-16542MedNov 21, 2019
    risk 0.42cvss 6.5epss 0.01

    Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Page 10 of 32