VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2020-2202MedJul 2, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2020-2191MedJun 3, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels.

  • CVE-2020-2186MedMay 6, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.

  • CVE-2020-2182MedMay 6, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.

  • CVE-2020-2177MedApr 16, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2153MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2020-2148MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2020-2147MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2020-2142MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.

  • CVE-2020-2141MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.

  • CVE-2020-2126MedFeb 12, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2104MedJan 29, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.

  • CVE-2020-2095MedJan 15, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2094MedJan 15, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

  • CVE-2019-16554MedDec 17, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.

  • CVE-2019-16547MedNov 21, 2019
    risk 0.21cvss 4.3epss 0.01

    Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment.

  • CVE-2019-10474MedOct 23, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.

  • CVE-2019-10473MedOct 23, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-10455MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10454MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10450LowOct 16, 2019
    risk 0.21cvss 3.3epss 0.00

    Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10442MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10441MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10439MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-10357MedJul 31, 2019
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.

  • CVE-2019-10344MedJul 31, 2019
    risk 0.21cvss 4.3epss 0.01

    Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins.

  • CVE-2019-10354MedJul 17, 2019
    risk 0.21cvss 4.3epss 0.02

    A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

  • CVE-2019-10320MedMay 21, 2019
    risk 0.21cvss 4.3epss 0.01

    Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

  • CVE-2019-1003036MedMar 8, 2019
    risk 0.21cvss 4.3epss 0.01

    A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.

  • CVE-2019-1003035MedMar 8, 2019
    risk 0.21cvss 4.3epss 0.01

    An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission…

  • CVE-2019-1003030CriKEVMar 8, 2019
    risk 0.21cvss 9.9epss 0.76

    A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

  • CVE-2019-1003029CriKEVMar 8, 2019
    risk 0.21cvss 9.9epss 0.74

    A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows…

  • CVE-2019-1003018MedFeb 6, 2019
    risk 0.21cvss 4.3epss 0.01

    An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious…

  • CVE-2019-1003010MedFeb 6, 2019
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

  • CVE-2016-3727MedMay 17, 2016
    risk 0.21cvss 4.3epss 0.02

    The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

  • CVE-2023-4777LowSep 8, 2023
    risk 0.20cvss 3.1epss 0.00

    An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins…

  • CVE-2023-4302MedAug 21, 2023
    risk 0.20cvss 4.2epss 0.00

    A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-4301MedAug 21, 2023
    risk 0.20cvss 4.2epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10400MedSep 12, 2019
    risk 0.20cvss 4.2epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2019-10399MedSep 12, 2019
    risk 0.20cvss 4.2epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2019-10397LowSep 12, 2019
    risk 0.20cvss 3.1epss 0.01

    Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2019-10394MedSep 12, 2019
    risk 0.20cvss 4.2epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2019-10393MedSep 12, 2019
    risk 0.20cvss 4.2epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2017-1000114LowOct 5, 2017
    risk 0.20cvss 3.1epss 0.01

    The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example…

  • CVE-2023-49652LowNov 29, 2023
    risk 0.18cvss 2.7epss 0.01

    Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials…

  • CVE-2025-0148LowFeb 3, 2025
    risk 0.17cvss 2.6epss 0.00

    Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.

  • CVE-2022-23114LowJan 12, 2022
    risk 0.14cvss 3.3epss 0.00

    Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2019-10433LowOct 1, 2019
    risk 0.14cvss 3.3epss 0.00

    Jenkins Dingding[钉钉] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10343LowJul 31, 2019
    risk 0.14cvss 3.3epss 0.00

    Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.

  • CVE-2017-1000242LowNov 1, 2017
    risk 0.14cvss 3.3epss 0.00

    Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure

Page 26 of 32