VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2020-2143MedMar 9, 2020
    risk 0.27cvss 5.3epss 0.01

    Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-1003017MedFeb 6, 2019
    risk 0.27cvss 5.3epss 0.01

    A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's…

  • CVE-2020-2184MedMay 6, 2020
    risk 0.25cvss 4.3epss 0.44

    A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.

  • CVE-2019-10363MedJul 31, 2019
    risk 0.25cvss 4.9epss 0.01

    Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form.

  • CVE-2023-37948LowJul 12, 2023
    risk 0.24cvss 3.7epss 0.00

    Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks.

  • CVE-2023-32994LowMay 16, 2023
    risk 0.24cvss 3.7epss 0.00

    Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

  • CVE-2022-27207MedMar 15, 2022
    risk 0.24cvss 4.8epss 0.01

    Jenkins global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

  • CVE-2022-23110MedJan 12, 2022
    risk 0.24cvss 4.8epss 0.01

    Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

  • CVE-2021-21672MedJun 30, 2021
    risk 0.24cvss 4.3epss 0.43

    Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2253MedSep 16, 2020
    risk 0.24cvss 4.8epss 0.01

    Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.

  • CVE-2020-2252MedSep 16, 2020
    risk 0.24cvss 4.8epss 0.01

    Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server.

  • CVE-2019-10406MedSep 25, 2019
    risk 0.24cvss 4.8epss 0.01

    Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

  • CVE-2019-10383MedAug 28, 2019
    risk 0.24cvss 4.8epss 0.01

    A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

  • CVE-2019-1003014MedFeb 6, 2019
    risk 0.24cvss 4.8epss 0.01

    An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user…

  • CVE-2017-2651LowJul 27, 2018
    risk 0.24cvss 3.7epss 0.02

    jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in…

  • CVE-2023-41946LowSep 6, 2023
    risk 0.23cvss 3.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the…

  • CVE-2022-45393LowNov 15, 2022
    risk 0.23cvss 3.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.

  • CVE-2022-23111MedJan 12, 2022
    risk 0.23cvss 4.3epss 0.28

    A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2024-23897CriKEVJan 24, 2024
    risk 0.22cvss 9.8epss 1.00

    Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins…

  • CVE-2023-27903MedMar 10, 2023
    risk 0.22cvss 4.4epss 0.00

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins…

  • CVE-2024-23902MedJan 24, 2024
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2024-23900MedJan 24, 2024
    risk 0.21cvss 4.3epss 0.01

    Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content…

  • CVE-2023-50769MedDec 13, 2023
    risk 0.21cvss 4.3epss 0.00

    Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2023-50765MedDec 13, 2023
    risk 0.21cvss 4.3epss 0.00

    A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

  • CVE-2023-43502MedSep 20, 2023
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes.

  • CVE-2023-43494MedSep 20, 2023
    risk 0.21cvss 4.3epss 0.03

    Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of…

  • CVE-2023-4303MedAug 21, 2023
    risk 0.21cvss 4.3epss 0.00

    Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability.

  • CVE-2023-3315MedJun 19, 2023
    risk 0.21cvss 4.3epss 0.01

    Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

  • CVE-2023-2631MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2023-2195MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2023-2633MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-2632MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.01

    Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-2196MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

  • CVE-2023-32982MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-32978MedMay 16, 2023
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

  • CVE-2023-30529MedApr 12, 2023
    risk 0.21cvss 4.3epss 0.00

    Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database.

  • CVE-2023-27902MedMar 10, 2023
    risk 0.21cvss 4.3epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.

  • CVE-2023-25766MedFeb 15, 2023
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-46685MedDec 12, 2022
    risk 0.21cvss 4.3epss 0.00

    In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.

  • CVE-2022-43431MedOct 19, 2022
    risk 0.21cvss 4.3epss 0.00

    Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-43427MedOct 19, 2022
    risk 0.21cvss 4.3epss 0.00

    Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-43413MedOct 19, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-41233MedSep 21, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

  • CVE-2022-41230MedSep 21, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for…

  • CVE-2022-36897MedJul 27, 2022
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

  • CVE-2022-36895MedJul 27, 2022
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

  • CVE-2022-36891MedJul 27, 2022
    risk 0.21cvss 4.3epss 0.00

    A missing permission check in Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier allows attackers with Item/Read permission but without Deploy Now/Deploy permission to read deployment logs.

  • CVE-2022-36887MedJul 27, 2022
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier allows attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system…

  • CVE-2022-36886MedJul 27, 2022
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier allows attackers to create runs of an external job.

  • CVE-2022-30946MedMay 17, 2022
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

Page 24 of 32