VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2018-1000419MedJan 9, 2019
    risk 0.42cvss 6.5epss 0.02

    An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.

  • CVE-2017-1000104MedOct 5, 2017
    risk 0.42cvss 6.5epss 0.01

    The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now…

  • CVE-2017-1000095MedOct 5, 2017
    risk 0.42cvss 6.5epss 0.01

    The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g.…

  • CVE-2017-1000085MedOct 5, 2017
    risk 0.42cvss 6.5epss 0.01

    Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web…

  • CVE-2016-4986HigFeb 9, 2017
    risk 0.42cvss 7.5epss 0.03

    Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter.

  • CVE-2016-3724MedMay 17, 2016
    risk 0.42cvss 6.5epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

  • CVE-2015-7539HigFeb 3, 2016
    risk 0.42cvss 7.5epss 0.01

    The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

  • CVE-2022-30956MedMay 17, 2022
    risk 0.41cvss 5.4epss 0.71

    Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

  • CVE-2022-29036MedApr 12, 2022
    risk 0.41cvss 5.4epss 0.79

    Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting…

  • CVE-2021-21668MedJun 16, 2021
    risk 0.41cvss 5.4epss 0.76

    Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

  • CVE-2020-2146HigMar 9, 2020
    risk 0.41cvss 7.4epss 0.01

    Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.

  • CVE-2019-1003009HigFeb 6, 2019
    risk 0.41cvss 7.4epss 0.01

    An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java,…

  • CVE-2017-1000091MedOct 5, 2017
    risk 0.41cvss 6.3epss 0.01

    GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access…

  • CVE-2016-3102HigFeb 9, 2017
    risk 0.41cvss 7.3epss 0.02

    The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.

  • CVE-2016-3726HigMay 17, 2016
    risk 0.41cvss 7.4epss 0.02

    Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

  • CVE-2023-41944MedSep 6, 2023
    risk 0.40cvss 6.1epss 0.00

    Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.

  • CVE-2023-37947MedJul 12, 2023
    risk 0.40cvss 6.1epss 0.00

    Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

  • CVE-2023-24445MedJan 26, 2023
    risk 0.40cvss 6.1epss 0.01

    Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

  • CVE-2020-2248MedSep 1, 2020
    risk 0.40cvss 6.1epss 0.01

    Jenkins JSGames Plugin 0.2 and earlier evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2020-2217MedJul 2, 2020
    risk 0.40cvss 6.1epss 0.01

    Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2020-2199MedJun 3, 2020
    risk 0.40cvss 6.1epss 0.06

    Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.

  • CVE-2020-2174MedApr 7, 2020
    risk 0.40cvss 6.1epss 0.01

    Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.

  • CVE-2020-2152MedMar 9, 2020
    risk 0.40cvss 6.1epss 0.01

    Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.

  • CVE-2012-4439MedNov 18, 2019
    risk 0.40cvss 6.1epss 0.02

    Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.

  • CVE-2019-10376MedAug 7, 2019
    risk 0.40cvss 6.1epss 0.01

    A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

  • CVE-2019-10346MedJul 11, 2019
    risk 0.40cvss 6.1epss 0.02

    A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.

  • CVE-2019-1003023MedFeb 6, 2019
    risk 0.40cvss 6.1epss 0.01

    A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java,…

  • CVE-2019-1003003HigJan 22, 2019
    risk 0.40cvss 7.2epss 0.02

    An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never…

  • CVE-2018-1000426MedJan 9, 2019
    risk 0.40cvss 6.1epss 0.01

    A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly…

  • CVE-2017-1000109MedOct 5, 2017
    risk 0.40cvss 6.1epss 0.01

    The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.

  • CVE-2016-4988MedFeb 9, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.

  • CVE-2023-27899HigMar 10, 2023
    risk 0.39cvss 7.0epss 0.00

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file…

  • CVE-2022-20619HigJan 12, 2022
    risk 0.39cvss 7.1epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2021-43577HigNov 12, 2021
    risk 0.39cvss 7.1epss 0.01

    Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21680HigAug 31, 2021
    risk 0.39cvss 7.1epss 0.01

    Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

  • CVE-2021-21656HigMay 11, 2021
    risk 0.39cvss 7.1epss 0.02

    Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21655HigMay 11, 2021
    risk 0.39cvss 7.1epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.

  • CVE-2020-2144HigMar 9, 2020
    risk 0.39cvss 7.1epss 0.01

    Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2140MedMar 9, 2020
    risk 0.39cvss 6.1epss 0.76

    Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.

  • CVE-2020-2138HigMar 9, 2020
    risk 0.39cvss 7.1epss 0.01

    Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2019-1003044HigMar 28, 2019
    risk 0.39cvss 7.1epss 0.01

    A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-40343MedAug 16, 2023
    risk 0.38cvss 5.9epss 0.00

    Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

  • CVE-2019-10317MedApr 30, 2019
    risk 0.38cvss 5.9epss 0.01

    Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2019-10314MedApr 30, 2019
    risk 0.38cvss 5.9epss 0.01

    Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2023-50770MedDec 13, 2023
    risk 0.37cvss 6.7epss 0.00

    Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that…

  • CVE-2026-48927MedMay 27, 2026
    risk 0.36cvss 5.5epss 0.00

    Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views.

  • CVE-2023-24454MedJan 26, 2023
    risk 0.36cvss 5.5epss 0.00

    Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-24442MedJan 26, 2023
    risk 0.36cvss 5.5epss 0.00

    Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins…

  • CVE-2023-24440MedJan 26, 2023
    risk 0.36cvss 5.5epss 0.00

    Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2023-24439MedJan 26, 2023
    risk 0.36cvss 5.5epss 0.00

    Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Page 12 of 32