VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,577 total · sorted by risk
  • CVE-2019-16557MedDec 17, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-16555MedDec 17, 2019
    risk 0.35cvss 6.5epss 0.01

    A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn't interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process.

  • CVE-2019-16545MedNov 21, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2019-16540MedNov 21, 2019
    risk 0.35cvss 6.5epss 0.02

    A path traversal vulnerability in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete arbitrary files on the Jenkins master.

  • CVE-2019-16539MedNov 21, 2019
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.

  • CVE-2019-10472MedOct 23, 2019
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10467MedOct 23, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10463MedOct 23, 2019
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10459MedOct 23, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the…

  • CVE-2019-10438MedOct 16, 2019
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2019-10436MedOct 16, 2019
    risk 0.35cvss 6.5epss 0.01

    An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master.

  • CVE-2019-10427MedSep 25, 2019
    risk 0.35cvss 5.3epss 0.01

    Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-10416MedSep 25, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10415MedSep 25, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10414MedSep 25, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10410MedSep 25, 2019
    risk 0.35cvss 5.4epss 0.01

    Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.

  • CVE-2019-10403MedSep 25, 2019
    risk 0.35cvss 5.4epss 0.01

    Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.

  • CVE-2019-10374MedAug 7, 2019
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.

  • CVE-2019-10373MedAug 7, 2019
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

  • CVE-2019-10370MedAug 7, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure.

  • CVE-2019-10366MedJul 31, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10358MedJul 31, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log.

  • CVE-2019-10341MedJul 11, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2019-10334MedJun 11, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files.

  • CVE-2019-10324MedMay 31, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform…

  • CVE-2019-10308MedApr 30, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users.

  • CVE-2019-10307MedApr 30, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.

  • CVE-2019-10305MedApr 18, 2019
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-10304MedApr 18, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003099MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003098MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003093MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003092MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003089MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-1003085MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003084MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003047MedMar 28, 2019
    risk 0.35cvss 6.5epss 0.02

    A missing permission check in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003046MedMar 28, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003037MedMar 8, 2019
    risk 0.35cvss 6.5epss 0.01

    An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2019-1003012MedFeb 6, 2019
    risk 0.35cvss 6.5epss 0.01

    A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js,…

  • CVE-2018-1000422MedJan 9, 2019
    risk 0.35cvss 6.5epss 0.01

    An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and…

  • CVE-2018-1000411MedJan 9, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.

  • CVE-2018-1000408MedJan 9, 2019
    risk 0.35cvss 6.5epss 0.01

    A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in…

  • CVE-2017-1000105MedOct 5, 2017
    risk 0.35cvss 5.3epss 0.01

    The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient.

  • CVE-2017-1000103MedOct 5, 2017
    risk 0.35cvss 5.4epss 0.01

    The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.

  • CVE-2017-1000102MedOct 5, 2017
    risk 0.35cvss 5.4epss 0.01

    The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings…

  • CVE-2017-1000094MedOct 5, 2017
    risk 0.35cvss 6.5epss 0.01

    Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overall/Read permission to get a…

  • CVE-2017-1000089MedOct 5, 2017
    risk 0.35cvss 5.3epss 0.01

    Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project…

  • CVE-2017-1000088MedOct 5, 2017
    risk 0.35cvss 5.4epss 0.01

    The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.

  • CVE-2017-1000084MedOct 5, 2017
    risk 0.35cvss 6.5epss 0.01

    Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.

Page 16 of 32