VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,578 total · sorted by risk
  • CVE-2022-29049MedApr 12, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.

  • CVE-2022-29047MedApr 12, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the…

  • CVE-2022-29043MedApr 12, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-29041MedApr 12, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-29039MedApr 12, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64 Encoded String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-29037MedApr 12, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-28152MedMar 29, 2022
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job.

  • CVE-2022-28151MedMar 29, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job.

  • CVE-2022-27215MedMar 15, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2022-27214MedMar 15, 2022
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2022-27205MedMar 15, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2022-27199MedMar 15, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

  • CVE-2022-27197MedMar 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.

  • CVE-2022-27196MedMar 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions.

  • CVE-2022-25191MedFeb 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-25189MedFeb 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter names of custom checkbox parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-25185MedFeb 15, 2022
    risk 0.28cvss 5.4epss 0.01

    Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-23106MedJan 12, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

  • CVE-2021-21700MedNov 12, 2021
    risk 0.28cvss 5.4epss 0.01

    Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

  • CVE-2021-21661MedJun 10, 2021
    risk 0.28cvss 4.3epss 0.02

    Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2021-21660MedMay 25, 2021
    risk 0.28cvss 5.4epss 0.01

    Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.

  • CVE-2021-21653MedMay 11, 2021
    risk 0.28cvss 4.3epss 0.01

    Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2021-21644MedApr 21, 2021
    risk 0.28cvss 5.4epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

  • CVE-2021-21626MedMar 18, 2021
    risk 0.28cvss 4.3epss 0.01

    Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file…

  • CVE-2021-21621MedFeb 24, 2021
    risk 0.28cvss 5.3epss 0.01

    Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.

  • CVE-2021-21611MedJan 13, 2021
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

  • CVE-2021-21609MedJan 13, 2021
    risk 0.28cvss 5.3epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

  • CVE-2021-21608MedJan 13, 2021
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

  • CVE-2021-21603MedJan 13, 2021
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

  • CVE-2020-2296MedOct 8, 2020
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.

  • CVE-2020-2292MedOct 8, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

  • CVE-2020-2290MedOct 8, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2289MedOct 8, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2288MedOct 8, 2020
    risk 0.28cvss 5.3epss 0.01

    In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

  • CVE-2020-2287MedOct 8, 2020
    risk 0.28cvss 5.3epss 0.01

    Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL.

  • CVE-2020-2283MedSep 23, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control changeset files evaluated by the plugin.

  • CVE-2020-2281MedSep 23, 2020
    risk 0.28cvss 5.4epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.

  • CVE-2020-2273MedSep 16, 2020
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2020-2272MedSep 16, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2020-2267MedSep 16, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

  • CVE-2020-2260MedSep 16, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

  • CVE-2020-2259MedSep 16, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

  • CVE-2020-2257MedSep 16, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2256MedSep 16, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2251MedSep 1, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2020-2244MedSep 1, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.

  • CVE-2020-2238MedSep 1, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2237MedAug 12, 2020
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision.

  • CVE-2020-2236MedAug 12, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.

  • CVE-2020-2227MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.

Page 21 of 32