VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,578 total · sorted by risk
  • CVE-2021-21612MedJan 13, 2021
    risk 0.36cvss 5.5epss 0.00

    Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2314MedNov 4, 2020
    risk 0.36cvss 5.5epss 0.00

    Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2274MedSep 16, 2020
    risk 0.36cvss 5.5epss 0.00

    Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2154MedMar 9, 2020
    risk 0.36cvss 5.5epss 0.00

    Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.

  • CVE-2020-2145MedMar 9, 2020
    risk 0.36cvss 5.5epss 0.00

    Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system.

  • CVE-2019-16572MedDec 17, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-16543MedNov 21, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10430MedSep 25, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10426MedSep 25, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10424MedSep 25, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10423MedSep 25, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10420MedSep 25, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10419MedSep 25, 2019
    risk 0.36cvss 5.5epss 0.00

    Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10352MedJul 17, 2019
    risk 0.36cvss 6.5epss 0.10

    A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting…

  • CVE-2018-1000997MedJan 23, 2019
    risk 0.36cvss 6.5epss 0.03

    A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java,…

  • CVE-2018-1000406MedJan 9, 2019
    risk 0.36cvss 6.5epss 0.04

    A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory,…

  • CVE-2017-1000113MedOct 5, 2017
    risk 0.36cvss 5.5epss 0.00

    The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin…

  • CVE-2024-23901MedJan 24, 2024
    risk 0.35cvss 6.5epss 0.00

    Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next…

  • CVE-2024-23899MedJan 24, 2024
    risk 0.35cvss 6.5epss 0.01

    Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from…

  • CVE-2023-46659MedOct 25, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2023-46655MedOct 25, 2023
    risk 0.35cvss 6.5epss 0.01

    Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from…

  • CVE-2023-46651MedOct 25, 2023
    risk 0.35cvss 6.5epss 0.01

    Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.

  • CVE-2023-43501MedSep 20, 2023
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.

  • CVE-2023-43499MedSep 20, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.

  • CVE-2023-43495MedSep 20, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.

  • CVE-2023-41940MedSep 6, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.

  • CVE-2023-41931MedSep 6, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2023-40350MedAug 16, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

  • CVE-2023-40346MedAug 16, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

  • CVE-2023-40342MedAug 16, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

  • CVE-2023-37963MedJul 12, 2023
    risk 0.35cvss 5.4epss 0.00

    A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

  • CVE-2023-37955MedJul 12, 2023
    risk 0.35cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2023-37953MedJul 12, 2023
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-35146MedJun 14, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

  • CVE-2023-35145MedJun 14, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2023-35144MedJun 14, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2023-35143MedJun 14, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions…

  • CVE-2023-33007MedMay 16, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2023-33006MedMay 16, 2023
    risk 0.35cvss 5.4epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-33005MedMay 16, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

  • CVE-2023-33002MedMay 16, 2023
    risk 0.35cvss 5.4epss 0.02

    Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2023-30520MedApr 12, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook…

  • CVE-2023-28679MedApr 2, 2023
    risk 0.35cvss 5.4epss 0.01

    Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with…

  • CVE-2023-28678MedApr 2, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

  • CVE-2023-28670MedApr 2, 2023
    risk 0.35cvss 5.4epss 0.00

    Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

  • CVE-2023-25768MedFeb 15, 2023
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.

  • CVE-2023-25762MedFeb 15, 2023
    risk 0.35cvss 5.4epss 0.81

    Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

  • CVE-2023-24457MedJan 26, 2023
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-24425MedJan 26, 2023
    risk 0.35cvss 6.5epss 0.01

    Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled…

  • CVE-2023-24423MedJan 26, 2023
    risk 0.35cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit.

Page 13 of 32