Vendor CVEs
Jenkins Project
All CVEs
1,579 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2227 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2226 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2225 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2224 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2223 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2222 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2221 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2220 | Med | 0.28 | 5.4 | 0.01 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2216 | Med | 0.28 | 4.3 | 0.01 | Jul 2, 2020 | A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password. | ||
| CVE-2020-2215 | Med | 0.28 | 4.3 | 0.01 | Jul 2, 2020 | A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password. | ||
| CVE-2020-2214 | Med | 0.28 | 5.4 | 0.01 | Jul 2, 2020 | Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | ||
| CVE-2020-2212 | Med | 0.28 | 4.3 | 0.01 | Jul 2, 2020 | Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. | ||
| CVE-2020-2210 | Med | 0.28 | 4.3 | 0.01 | Jul 2, 2020 | Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | ||
| CVE-2020-2208 | Med | 0.28 | 4.3 | 0.01 | Jul 2, 2020 | Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | ||
| CVE-2020-2204 | Med | 0.28 | 5.4 | 0.01 | Jul 2, 2020 | A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs. | ||
| CVE-2020-2195 | Med | 0.28 | 5.4 | 0.01 | Jun 3, 2020 | Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission. | ||
| CVE-2020-2190 | Med | 0.28 | 5.4 | 0.01 | Jun 3, 2020 | Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2188 | Med | 0.28 | 4.3 | 0.01 | May 6, 2020 | A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | ||
| CVE-2020-2175 | Med | 0.28 | 5.4 | 0.01 | Apr 7, 2020 | Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin. | ||
| CVE-2020-2173 | Med | 0.28 | 5.4 | 0.01 | Apr 7, 2020 | Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content. | ||
| CVE-2020-2162 | Med | 0.28 | 5.4 | 0.01 | Mar 25, 2020 | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. | ||
| CVE-2020-2157 | Med | 0.28 | 4.3 | 0.01 | Mar 9, 2020 | Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. | ||
| CVE-2020-2156 | Med | 0.28 | 4.3 | 0.01 | Mar 9, 2020 | Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. | ||
| CVE-2020-2136 | Med | 0.28 | 5.4 | 0.01 | Mar 9, 2020 | Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2128 | Med | 0.28 | 4.3 | 0.01 | Feb 12, 2020 | Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | ||
| CVE-2020-2127 | Med | 0.28 | 4.3 | 0.01 | Feb 12, 2020 | Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | ||
| CVE-2020-2125 | Med | 0.28 | 4.3 | 0.01 | Feb 12, 2020 | Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | ||
| CVE-2020-2124 | Med | 0.28 | 4.3 | 0.01 | Feb 12, 2020 | Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | ||
| CVE-2020-2113 | Med | 0.28 | 5.4 | 0.01 | Feb 12, 2020 | Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. | ||
| CVE-2020-2112 | Med | 0.28 | 5.4 | 0.01 | Feb 12, 2020 | Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. | ||
| CVE-2020-2111 | Med | 0.28 | 5.4 | 0.01 | Feb 12, 2020 | Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability. | ||
| CVE-2020-2107 | Med | 0.28 | 4.3 | 0.01 | Jan 29, 2020 | Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||
| CVE-2020-2106 | Med | 0.28 | 5.4 | 0.01 | Jan 29, 2020 | Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations. | ||
| CVE-2020-2105 | Med | 0.28 | 5.4 | 0.02 | Jan 29, 2020 | REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. | ||
| CVE-2020-2102 | Med | 0.28 | 5.3 | 0.01 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC. | ||
| CVE-2020-2101 | Med | 0.28 | 5.3 | 0.01 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret. | ||
| CVE-2019-16571 | Med | 0.28 | 4.3 | 0.01 | Dec 17, 2019 | A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | ||
| CVE-2019-16569 | Med | 0.28 | 4.3 | 0.01 | Dec 17, 2019 | A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials. | ||
| CVE-2019-16567 | Med | 0.28 | 4.3 | 0.01 | Dec 17, 2019 | A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | ||
| CVE-2019-16564 | Med | 0.28 | 5.4 | 0.01 | Dec 17, 2019 | Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names. | ||
| CVE-2019-16552 | Med | 0.28 | 5.4 | 0.01 | Dec 17, 2019 | A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on… | ||
| CVE-2019-10465 | Med | 0.28 | 4.3 | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins… | ||
| CVE-2019-10457 | Med | 0.28 | 4.3 | 0.01 | Oct 16, 2019 | A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-10456 | Med | 0.28 | 4.3 | 0.01 | Oct 16, 2019 | A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-10452 | Med | 0.28 | 4.3 | 0.00 | Oct 16, 2019 | Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||
| CVE-2019-10451 | Med | 0.28 | 4.3 | 0.00 | Oct 16, 2019 | Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | ||
| CVE-2019-10447 | Med | 0.28 | 4.3 | 0.01 | Oct 16, 2019 | Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||
| CVE-2019-10445 | Med | 0.28 | 4.3 | 0.01 | Oct 16, 2019 | A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID. | ||
| CVE-2019-10432 | Med | 0.28 | 5.4 | 0.01 | Oct 1, 2019 | Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those. | ||
| CVE-2019-10421 | Med | 0.28 | 4.3 | 0.01 | Sep 25, 2019 | Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. |
- risk 0.28cvss 5.4epss 0.01
Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 5.4epss 0.01
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.
- risk 0.28cvss 5.4epss 0.01
Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
- risk 0.28cvss 4.3epss 0.01
Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration.
- risk 0.28cvss 4.3epss 0.01
Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
- risk 0.28cvss 4.3epss 0.01
Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- risk 0.28cvss 5.4epss 0.01
A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
- risk 0.28cvss 5.4epss 0.01
Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
- risk 0.28cvss 5.4epss 0.01
Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- risk 0.28cvss 5.4epss 0.01
Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.
- risk 0.28cvss 5.4epss 0.01
Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.
- risk 0.28cvss 5.4epss 0.01
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
- risk 0.28cvss 4.3epss 0.01
Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
- risk 0.28cvss 4.3epss 0.01
Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
- risk 0.28cvss 5.4epss 0.01
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 4.3epss 0.01
Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- risk 0.28cvss 4.3epss 0.01
Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- risk 0.28cvss 4.3epss 0.01
Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- risk 0.28cvss 4.3epss 0.01
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- risk 0.28cvss 5.4epss 0.01
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
- risk 0.28cvss 5.4epss 0.01
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
- risk 0.28cvss 5.4epss 0.01
Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.
- risk 0.28cvss 4.3epss 0.01
Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- risk 0.28cvss 5.4epss 0.01
Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.
- risk 0.28cvss 5.4epss 0.02
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
- risk 0.28cvss 5.3epss 0.01
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
- risk 0.28cvss 5.3epss 0.01
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- risk 0.28cvss 5.4epss 0.01
Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.
- risk 0.28cvss 5.4epss 0.01
A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on…
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins…
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.28cvss 4.3epss 0.00
Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- risk 0.28cvss 4.3epss 0.00
Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- risk 0.28cvss 4.3epss 0.01
Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- risk 0.28cvss 4.3epss 0.01
A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.
- risk 0.28cvss 5.4epss 0.01
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
- risk 0.28cvss 4.3epss 0.01
Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Page 22 of 32