VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,577 total · sorted by risk
  • CVE-2022-25184MedFeb 15, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.

  • CVE-2022-23112MedJan 12, 2022
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2022-23109MedJan 12, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

  • CVE-2022-23108MedJan 12, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-23105MedJan 12, 2022
    risk 0.35cvss 6.5epss 0.00

    Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

  • CVE-2022-20615MedJan 12, 2022
    risk 0.35cvss 5.4epss 0.82

    Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

  • CVE-2021-21683MedOct 6, 2021
    risk 0.35cvss 6.5epss 0.02

    The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows…

  • CVE-2021-21664MedJun 10, 2021
    risk 0.35cvss 6.5epss 0.01

    An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password…

  • CVE-2021-21643MedApr 21, 2021
    risk 0.35cvss 6.5epss 0.01

    Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

  • CVE-2021-21634MedMar 30, 2021
    risk 0.35cvss 6.5epss 0.01

    Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2021-21632MedMar 30, 2021
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

  • CVE-2021-21628MedMar 30, 2021
    risk 0.35cvss 5.4epss 0.82

    Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2021-21623MedMar 18, 2021
    risk 0.35cvss 6.5epss 0.01

    An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

  • CVE-2021-21615MedJan 26, 2021
    risk 0.35cvss 5.3epss 0.01

    Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

  • CVE-2021-21607MedJan 13, 2021
    risk 0.35cvss 6.5epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

  • CVE-2021-21602MedJan 13, 2021
    risk 0.35cvss 6.5epss 0.02

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

  • CVE-2020-2317MedNov 4, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.

  • CVE-2020-2316MedNov 4, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2315MedNov 4, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2305MedNov 4, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2304MedNov 4, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2271MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2270MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2269MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

  • CVE-2020-2266MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2265MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

  • CVE-2020-2264MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2263MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2262MedSep 16, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

  • CVE-2020-2254MedSep 16, 2020
    risk 0.35cvss 6.5epss 0.02

    Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.

  • CVE-2020-2246MedSep 1, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.

  • CVE-2020-2243MedSep 1, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

  • CVE-2020-2242MedSep 1, 2020
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins database Plugin 1.6 and earlier allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials.

  • CVE-2020-2219MedJul 2, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2201MedJul 2, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2192MedJun 3, 2020
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.

  • CVE-2020-2183MedMay 6, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.

  • CVE-2020-2181MedMay 6, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.

  • CVE-2020-2176MedApr 7, 2020
    risk 0.35cvss 5.4epss 0.01

    Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango…

  • CVE-2020-2172MedApr 7, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2170MedMar 25, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

  • CVE-2020-2163MedMar 25, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.

  • CVE-2020-2161MedMar 25, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

  • CVE-2020-2151MedMar 9, 2020
    risk 0.35cvss 5.3epss 0.01

    Jenkins Quality Gates Plugin 2.5 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2020-2139MedMar 9, 2020
    risk 0.35cvss 6.5epss 0.02

    An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system.

  • CVE-2020-2132MedFeb 12, 2020
    risk 0.35cvss 6.5epss 0.01

    Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2122MedFeb 12, 2020
    risk 0.35cvss 5.4epss 0.01

    Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.

  • CVE-2020-2119MedFeb 12, 2020
    risk 0.35cvss 5.3epss 0.01

    Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-16563MedDec 17, 2019
    risk 0.35cvss 5.4epss 0.01

    Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.

  • CVE-2019-16559MedDec 17, 2019
    risk 0.35cvss 5.4epss 0.01

    A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

Page 15 of 32