VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,577 total · sorted by risk
  • CVE-2020-2231MedAug 12, 2020
    risk 0.32cvss 5.4epss 0.05

    Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the…

  • CVE-2020-2229MedAug 12, 2020
    risk 0.32cvss 5.4epss 0.07

    Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2023-37943MedJul 12, 2023
    risk 0.31cvss 5.9epss 0.00

    Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory…

  • CVE-2023-32993MedMay 16, 2023
    risk 0.31cvss 4.8epss 0.00

    Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

  • CVE-2022-25202MedFeb 15, 2022
    risk 0.31cvss 4.8epss 0.01

    Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of custom promotion levels, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

  • CVE-2020-2100MedJan 29, 2020
    risk 0.31cvss 5.8epss 0.03

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.

  • CVE-2019-16546MedNov 21, 2019
    risk 0.31cvss 5.9epss 0.01

    Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.

  • CVE-2019-10349MedJul 11, 2019
    risk 0.31cvss 5.4epss 0.04

    A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

  • CVE-2019-1003019MedFeb 6, 2019
    risk 0.31cvss 5.9epss 0.01

    An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

  • CVE-2017-17383MedDec 6, 2017
    risk 0.31cvss 4.7epss 0.01

    Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

  • CVE-2023-24428MedJan 26, 2023
    risk 0.30cvss 5.7epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2022-41231MedSep 21, 2022
    risk 0.30cvss 5.7epss 0.01

    Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

  • CVE-2022-27195MedMar 15, 2022
    risk 0.29cvss 5.5epss 0.00

    Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by…

  • CVE-2022-20621MedJan 12, 2022
    risk 0.29cvss 5.5epss 0.00

    Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2021-21681MedAug 31, 2021
    risk 0.29cvss 5.5epss 0.00

    Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2021-21635MedMar 30, 2021
    risk 0.29cvss 5.4epss 0.09

    Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2021-21622MedFeb 24, 2021
    risk 0.29cvss 5.4epss 0.09

    Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2021-21616MedFeb 24, 2021
    risk 0.29cvss 4.6epss 0.79

    Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2021-21614MedJan 13, 2021
    risk 0.29cvss 5.5epss 0.00

    Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2187MedMay 6, 2020
    risk 0.29cvss 5.6epss 0.00

    Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.

  • CVE-2020-2185MedMay 6, 2020
    risk 0.29cvss 5.6epss 0.01

    Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.

  • CVE-2020-2103MedJan 29, 2020
    risk 0.29cvss 5.4epss 0.07

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.

  • CVE-2019-10429MedSep 25, 2019
    risk 0.29cvss 5.5epss 0.00

    Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10398MedSep 12, 2019
    risk 0.29cvss 5.5epss 0.00

    Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10367MedAug 7, 2019
    risk 0.29cvss 5.5epss 0.00

    Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

  • CVE-2019-10364MedJul 31, 2019
    risk 0.29cvss 5.5epss 0.00

    Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.

  • CVE-2019-10361MedJul 31, 2019
    risk 0.29cvss 5.5epss 0.00

    Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10345MedJul 31, 2019
    risk 0.29cvss 5.5epss 0.00

    Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.

  • CVE-2026-57285modJun 24, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins GitHub Branch Source Plugin: Jenkins GitHub Branch Source Plugin: Information disclosure via missing permission check

  • CVE-2026-53441MedJun 10, 2026
    risk 0.28cvss 5.4epss 0.00

    Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability…

  • CVE-2026-53440MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled…

  • CVE-2026-53439MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".

  • CVE-2026-53438MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.

  • CVE-2026-53437MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.

  • CVE-2026-53436MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.

  • CVE-2026-9674MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds.

  • CVE-2026-48926MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2026-48925MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request.

  • CVE-2026-48924MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

  • CVE-2026-48923MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2026-42525MedApr 29, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

  • CVE-2026-42522MedApr 29, 2026
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

  • CVE-2026-42519MedApr 29, 2026
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

  • CVE-2026-23942MedMar 13, 2026
    risk 0.28cvss 5.4epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. …

  • CVE-2025-0142MedJan 30, 2025
    risk 0.28cvss 4.3epss 0.00

    Cleartext storage of sensitive information in the Zoom Jenkins Marketplace plugin before version 1.4 may allow an authenticated user to conduct a disclosure of information via network access.

  • CVE-2024-23905MedJan 24, 2024
    risk 0.28cvss 5.4epss 0.01

    Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2023-50779MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

  • CVE-2023-50777MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-50776MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-50775MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.

Page 18 of 32