VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2020-2227MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2226MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2225MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2224MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2223MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2222MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2221MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2220MedJul 15, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2216MedJul 2, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password.

  • CVE-2020-2215MedJul 2, 2020
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.

  • CVE-2020-2214MedJul 2, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2020-2212MedJul 2, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration.

  • CVE-2020-2210MedJul 2, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2020-2208MedJul 2, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2204MedJul 2, 2020
    risk 0.28cvss 5.4epss 0.01

    A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

  • CVE-2020-2195MedJun 3, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

  • CVE-2020-2190MedJun 3, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2188MedMay 6, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2020-2175MedApr 7, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.

  • CVE-2020-2173MedApr 7, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.

  • CVE-2020-2162MedMar 25, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.

  • CVE-2020-2157MedMar 9, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2020-2156MedMar 9, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2020-2136MedMar 9, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2128MedFeb 12, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2127MedFeb 12, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2020-2125MedFeb 12, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2124MedFeb 12, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2113MedFeb 12, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

  • CVE-2020-2112MedFeb 12, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

  • CVE-2020-2111MedFeb 12, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.

  • CVE-2020-2107MedJan 29, 2020
    risk 0.28cvss 4.3epss 0.01

    Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2106MedJan 29, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.

  • CVE-2020-2105MedJan 29, 2020
    risk 0.28cvss 5.4epss 0.02

    REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.

  • CVE-2020-2102MedJan 29, 2020
    risk 0.28cvss 5.3epss 0.01

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.

  • CVE-2020-2101MedJan 29, 2020
    risk 0.28cvss 5.3epss 0.01

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.

  • CVE-2019-16571MedDec 17, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.

  • CVE-2019-16569MedDec 17, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.

  • CVE-2019-16567MedDec 17, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-16564MedDec 17, 2019
    risk 0.28cvss 5.4epss 0.01

    Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.

  • CVE-2019-16552MedDec 17, 2019
    risk 0.28cvss 5.4epss 0.01

    A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on…

  • CVE-2019-10465MedOct 23, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins…

  • CVE-2019-10457MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10456MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10452MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.00

    Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10451MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.00

    Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10447MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.01

    Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10445MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.

  • CVE-2019-10432MedOct 1, 2019
    risk 0.28cvss 5.4epss 0.01

    Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.

  • CVE-2019-10421MedSep 25, 2019
    risk 0.28cvss 4.3epss 0.01

    Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Page 22 of 32