VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2022-29052MedApr 12, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-29051MedApr 12, 2022
    risk 0.21cvss 4.3epss 0.01

    Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

  • CVE-2022-29048MedApr 12, 2022
    risk 0.21cvss 4.3epss 0.02

    A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2022-28137MedMar 29, 2022
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2022-25190MedFeb 15, 2022
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-25188MedFeb 15, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the…

  • CVE-2022-25180MedFeb 15, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

  • CVE-2022-23113MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

  • CVE-2022-20620MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.01

    Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-20618MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-20616MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

  • CVE-2022-20614MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

  • CVE-2022-20613MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

  • CVE-2022-20612MedJan 12, 2022
    risk 0.21cvss 4.3epss 0.02

    A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.

  • CVE-2021-21682MedOct 6, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows.

  • CVE-2021-21674MedJun 30, 2021
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

  • CVE-2021-21670MedJun 30, 2021
    risk 0.21cvss 4.3epss 0.02

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

  • CVE-2021-21662MedJun 10, 2021
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2021-21654MedMay 11, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.

  • CVE-2021-21651MedMay 11, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.

  • CVE-2021-21650MedMay 11, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission…

  • CVE-2021-21647MedApr 21, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

  • CVE-2021-21645MedApr 21, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.

  • CVE-2021-21641MedApr 7, 2021
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.

  • CVE-2021-21640MedApr 7, 2021
    risk 0.21cvss 4.3epss 0.02

    Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.

  • CVE-2021-21639MedApr 7, 2021
    risk 0.21cvss 4.3epss 0.03

    Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

  • CVE-2021-21631MedMar 30, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

  • CVE-2021-21625MedMar 18, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

  • CVE-2021-21624MedMar 18, 2021
    risk 0.21cvss 4.3epss 0.01

    An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

  • CVE-2021-21606MedJan 13, 2021
    risk 0.21cvss 4.3epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

  • CVE-2020-2313MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2020-2311MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.

  • CVE-2020-2310MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2020-2309MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2020-2308MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.

  • CVE-2020-2307MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

  • CVE-2020-2306MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

  • CVE-2020-2303MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

  • CVE-2020-2302MedNov 4, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.

  • CVE-2020-2297LowOct 8, 2020
    risk 0.21cvss 3.3epss 0.00

    Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2291LowOct 8, 2020
    risk 0.21cvss 3.3epss 0.00

    Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2020-2285MedSep 23, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2020-2282MedSep 23, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin.

  • CVE-2020-2258MedSep 16, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

  • CVE-2020-2255MedSep 16, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2020-2239MedSep 1, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

  • CVE-2020-2218LowJul 2, 2020
    risk 0.21cvss 3.3epss 0.00

    Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2213MedJul 2, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system.

  • CVE-2020-2209MedJul 2, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2203MedJul 2, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

Page 25 of 32