VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,578 total · sorted by risk
  • CVE-2022-45398MedNov 15, 2022
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

  • CVE-2022-45394MedNov 15, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.

  • CVE-2022-45390MedNov 15, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-45387MedNov 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2022-45382MedNov 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

  • CVE-2022-45380MedNov 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-43434MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2022-43433MedOct 19, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2022-43432MedOct 19, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2022-43428MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller…

  • CVE-2022-43424MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller…

  • CVE-2022-43422MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

  • CVE-2022-43420MedOct 19, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast…

  • CVE-2022-43414MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the…

  • CVE-2022-43411MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2022-43410MedOct 19, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.

  • CVE-2022-43409MedOct 19, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.

  • CVE-2022-41252MedSep 21, 2022
    risk 0.28cvss 4.3epss 0.01

    Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2022-41251MedSep 21, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-41247MedSep 21, 2022
    risk 0.28cvss 4.3epss 0.00

    Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-41240MedSep 21, 2022
    risk 0.28cvss 5.4epss 0.00

    Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

  • CVE-2022-41229MedSep 21, 2022
    risk 0.28cvss 5.4epss 0.00

    Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…

  • CVE-2022-41225MedSep 21, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

  • CVE-2022-41224MedSep 21, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this…

  • CVE-2022-38664MedAug 23, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.

  • CVE-2022-36919MedJul 27, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-36913MedJul 27, 2022
    risk 0.28cvss 4.3epss 0.00

    Jenkins Openstack Heat Plugin 1.5 and earlier does not perform permission checks in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

  • CVE-2022-36912MedJul 27, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2022-36910MedJul 27, 2022
    risk 0.28cvss 5.4epss 0.00

    Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them.

  • CVE-2022-36904MedJul 27, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

  • CVE-2022-36903MedJul 27, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Repository Connector Plugin 2.2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-36890MedJul 27, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file…

  • CVE-2022-36885MedJul 27, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

  • CVE-2022-36884MedJul 27, 2022
    risk 0.28cvss 5.3epss 0.01

    The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

  • CVE-2022-34801MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.00

    Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2022-34800MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34799MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34798MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

  • CVE-2022-34797MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

  • CVE-2022-34796MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-34785MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them.

  • CVE-2022-34782MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

  • CVE-2022-34778MedJun 30, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to…

  • CVE-2022-34208MedJun 23, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2022-34206MedJun 23, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL.

  • CVE-2022-34191MedJun 23, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier does not escape the name of NetStorm Test parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34188MedJun 23, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34170MedJun 23, 2022
    risk 0.28cvss 5.4epss 0.01

    In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability…

  • CVE-2022-30957MedMay 17, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-30949MedMay 17, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

Page 20 of 32