VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2025-53658Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2025-53657Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53656Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins…

  • CVE-2025-53655Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2025-53654Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2025-53653Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53652Jul 9, 2025
    risk 0.00cvss epss 0.01

    Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.

  • CVE-2025-53651Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.

  • CVE-2025-53650Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.

  • CVE-2024-9453Jul 4, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the…

  • CVE-2025-5806Jun 6, 2025
    risk 0.00cvss epss 0.00

    Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

  • CVE-2025-47889May 14, 2025
    risk 0.00cvss epss 0.01

    In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames…

  • CVE-2025-47888May 14, 2025
    risk 0.00cvss epss 0.00

    Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.

  • CVE-2025-47887May 14, 2025
    risk 0.00cvss epss 0.00

    Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2025-47886May 14, 2025
    risk 0.00cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2025-47885May 14, 2025
    risk 0.00cvss epss 0.01

    Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server…

  • CVE-2025-47884May 14, 2025
    risk 0.00cvss epss 0.01

    In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token…

  • CVE-2025-32755Apr 10, 2025
    risk 0.00cvss epss 0.00

    In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path…

  • CVE-2025-32754Apr 10, 2025
    risk 0.00cvss epss 0.00

    In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network…

  • CVE-2025-31728Apr 2, 2025
    risk 0.00cvss epss 0.00

    Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-31727Apr 2, 2025
    risk 0.00cvss epss 0.00

    Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-31726Apr 2, 2025
    risk 0.00cvss epss 0.00

    Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2025-31725Apr 2, 2025
    risk 0.00cvss epss 0.00

    Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2025-31724Apr 2, 2025
    risk 0.00cvss epss 0.00

    Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2025-31723Apr 2, 2025
    risk 0.00cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order.

  • CVE-2025-31722Apr 2, 2025
    risk 0.00cvss epss 0.01

    In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

  • CVE-2025-31721Apr 2, 2025
    risk 0.00cvss epss 0.00

    A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.

  • CVE-2025-31720Apr 2, 2025
    risk 0.00cvss epss 0.00

    A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.

  • CVE-2025-30197Mar 19, 2025
    risk 0.00cvss epss 0.00

    Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.

  • CVE-2025-30196Mar 19, 2025
    risk 0.00cvss epss 0.00

    Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor…

  • CVE-2025-27625Mar 5, 2025
    risk 0.00cvss epss 0.01

    In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers…

  • CVE-2025-27624Mar 5, 2025
    risk 0.00cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).

  • CVE-2025-27623Mar 5, 2025
    risk 0.00cvss epss 0.00

    Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.

  • CVE-2025-27622Mar 5, 2025
    risk 0.00cvss epss 0.01

    Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.

  • CVE-2025-24403Jan 22, 2025
    risk 0.00cvss epss 0.00

    A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins.

  • CVE-2025-24402Jan 22, 2025
    risk 0.00cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.

  • CVE-2025-24400Jan 22, 2025
    risk 0.00cvss epss 0.00

    Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event…

  • CVE-2025-24399Jan 22, 2025
    risk 0.00cvss epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by…

  • CVE-2025-24398Jan 22, 2025
    risk 0.00cvss epss 0.00

    Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

  • CVE-2025-24397Jan 22, 2025
    risk 0.00cvss epss 0.00

    An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in…

  • CVE-2024-54004Nov 27, 2024
    risk 0.00cvss epss 0.01

    Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.

  • CVE-2024-52554Nov 13, 2024
    risk 0.00cvss epss 0.01

    Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a…

  • CVE-2024-52553Nov 13, 2024
    risk 0.00cvss epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.

  • CVE-2024-52552Nov 13, 2024
    risk 0.00cvss epss 0.01

    Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2024-52551Nov 13, 2024
    risk 0.00cvss epss 0.01

    Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose…

  • CVE-2024-52550Nov 13, 2024
    risk 0.00cvss epss 0.00

    Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile)…

  • CVE-2024-52549Nov 13, 2024
    risk 0.00cvss epss 0.00

    Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the…

  • CVE-2024-47807Oct 2, 2024
    risk 0.00cvss epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

  • CVE-2024-47806Oct 2, 2024
    risk 0.00cvss epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

  • CVE-2024-47805Oct 2, 2024
    risk 0.00cvss epss 0.01

    Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.

Page 29 of 32