VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2022-25200HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-25199HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2022-25198HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2022-23118HigJan 12, 2022
    risk 0.57cvss 8.8epss 0.02

    Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.

  • CVE-2021-21696CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified…

  • CVE-2021-21694CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-21693CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-21692CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.

  • CVE-2021-21691CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-21690CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-21657HigMay 25, 2021
    risk 0.57cvss 8.8epss 0.02

    Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2320CriDec 3, 2020
    risk 0.57cvss 9.8epss 0.01

    Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.

  • CVE-2020-2301CriNov 4, 2020
    risk 0.57cvss 9.8epss 0.02

    Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode.

  • CVE-2020-2300CriNov 4, 2020
    risk 0.57cvss 9.8epss 0.02

    Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.

  • CVE-2020-2299CriNov 4, 2020
    risk 0.57cvss 9.8epss 0.01

    Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password.

  • CVE-2020-2286HigOct 8, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.

  • CVE-2020-2280HigSep 23, 2020
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.

  • CVE-2020-2276HigSep 16, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

  • CVE-2020-2268HigSep 16, 2020
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.

  • CVE-2020-2261HigSep 16, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller

  • CVE-2020-2228HigJul 15, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.

  • CVE-2020-2211HigJul 2, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2200HigJun 3, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.

  • CVE-2020-2171HigMar 25, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2168HigMar 25, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2167HigMar 25, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2166HigMar 25, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2159HigMar 9, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

  • CVE-2020-2158HigMar 9, 2020
    risk 0.57cvss 8.8epss 0.03

    Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2121HigFeb 12, 2020
    risk 0.57cvss 8.8epss 0.03

    Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2098HigJan 15, 2020
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins.

  • CVE-2019-16575HigDec 17, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account…

  • CVE-2019-16573HigDec 17, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-16570HigDec 17, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server.

  • CVE-2019-16565HigDec 17, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-16560HigDec 17, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

  • CVE-2019-16544HigNov 21, 2019
    risk 0.57cvss 8.8epss 0.01

    Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-16541CriNov 21, 2019
    risk 0.57cvss 9.9epss 0.02

    Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope.

  • CVE-2012-4438HigNov 18, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.

  • CVE-2019-10468HigOct 23, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10464HigOct 23, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file…

  • CVE-2019-10448HigOct 16, 2019
    risk 0.57cvss 8.8epss 0.01

    Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10443HigOct 16, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10386HigAug 7, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…

  • CVE-2019-10380HigAug 7, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

  • CVE-2019-10368HigAug 7, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using…

  • CVE-2019-10356HigJul 31, 2019
    risk 0.57cvss 8.8epss 0.03

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2019-10351HigJul 11, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10350HigJul 11, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10316HigApr 30, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Page 3 of 32