VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2019-10409MedSep 25, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.

  • CVE-2019-10408MedSep 25, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.

  • CVE-2019-10404MedSep 25, 2019
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching…

  • CVE-2019-10402MedSep 25, 2019
    risk 0.28cvss 5.4epss 0.01

    In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

  • CVE-2019-10401MedSep 25, 2019
    risk 0.28cvss 5.4epss 0.01

    In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).

  • CVE-2019-10396MedSep 12, 2019
    risk 0.28cvss 5.4epss 0.01

    Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions.

  • CVE-2019-10395MedSep 12, 2019
    risk 0.28cvss 5.4epss 0.01

    Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties.

  • CVE-2019-10389MedAug 7, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

  • CVE-2019-10388MedAug 7, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

  • CVE-2019-10377MedAug 7, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.

  • CVE-2019-10365MedJul 31, 2019
    risk 0.28cvss 4.3epss 0.00

    Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission.

  • CVE-2019-10362MedJul 31, 2019
    risk 0.28cvss 5.4epss 0.01

    Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

  • CVE-2019-10360MedJul 31, 2019
    risk 0.28cvss 5.4epss 0.01

    A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

  • CVE-2019-10342MedJul 11, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-10335MedJun 11, 2019
    risk 0.28cvss 5.4epss 0.01

    A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status…

  • CVE-2019-10333MedJun 11, 2019
    risk 0.28cvss 4.3epss 0.01

    Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances.

  • CVE-2019-10332MedJun 11, 2019
    risk 0.28cvss 4.3epss 0.02

    A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10331MedJun 11, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10323MedMay 31, 2019
    risk 0.28cvss 4.3epss 0.02

    A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-10322MedMay 31, 2019
    risk 0.28cvss 4.3epss 0.02

    A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another…

  • CVE-2019-10321MedMay 31, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…

  • CVE-2019-10319MedMay 21, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.

  • CVE-2019-10312MedApr 30, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-1003050MedApr 10, 2019
    risk 0.28cvss 5.4epss 0.01

    The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

  • CVE-2019-1003042MedMar 28, 2019
    risk 0.28cvss 5.4epss 0.01

    A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.

  • CVE-2019-1003028MedFeb 20, 2019
    risk 0.28cvss 4.3epss 0.01

    A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint.

  • CVE-2019-1003027MedFeb 20, 2019
    risk 0.28cvss 4.3epss 0.01

    A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if…

  • CVE-2019-1003026MedFeb 20, 2019
    risk 0.28cvss 4.3epss 0.01

    A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a…

  • CVE-2019-1003021MedFeb 6, 2019
    risk 0.28cvss 4.3epss 0.01

    An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious…

  • CVE-2019-1003020MedFeb 6, 2019
    risk 0.28cvss 4.3epss 0.01

    A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL.

  • CVE-2019-1003013MedFeb 6, 2019
    risk 0.28cvss 5.4epss 0.01

    An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java,…

  • CVE-2018-1000415MedJan 9, 2019
    risk 0.28cvss 5.4epss 0.01

    A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly,…

  • CVE-2018-1000413MedJan 9, 2019
    risk 0.28cvss 5.4epss 0.01

    A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.

  • CVE-2018-1000409MedJan 9, 2019
    risk 0.28cvss 5.4epss 0.01

    A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a…

  • CVE-2017-1000243MedNov 1, 2017
    risk 0.28cvss 4.3epss 0.01

    Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites

  • CVE-2017-1000110MedOct 5, 2017
    risk 0.28cvss 4.3epss 0.01

    Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and…

  • CVE-2017-1000087MedOct 5, 2017
    risk 0.28cvss 4.3epss 0.01

    GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those…

  • CVE-2014-9635MedSep 12, 2017
    risk 0.28cvss 5.3epss 0.03

    Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

  • CVE-2014-9634MedSep 12, 2017
    risk 0.28cvss 5.3epss 0.03

    Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

  • CVE-2016-3101MedFeb 9, 2017
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter.

  • CVE-2016-3725MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

  • CVE-2016-3723MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

  • CVE-2016-3722MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

  • CVE-2016-3721MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

  • CVE-2015-7536MedFeb 3, 2016
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

  • CVE-2025-13472MedDec 3, 2025
    risk 0.27cvss epss 0.00

    A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.

  • CVE-2024-23903MedJan 24, 2024
    risk 0.27cvss 5.3epss 0.01

    Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-32985MedMay 16, 2023
    risk 0.27cvss 4.3epss 0.72

    Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

  • CVE-2023-32983MedMay 16, 2023
    risk 0.27cvss 5.3epss 0.00

    Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2022-43423MedOct 19, 2022
    risk 0.27cvss 5.3epss 0.01

    Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from…

Page 23 of 32