VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2022-43407HigOct 19, 2022
    risk 0.50cvss 8.8epss 0.00

    Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly…

  • CVE-2022-36882HigJul 27, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

  • CVE-2022-29050HigApr 12, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials.

  • CVE-2022-28136HigMar 29, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2022-27204HigMar 15, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2022-25183HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.02

    Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins…

  • CVE-2022-25182HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.02

    A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller JVM using specially crafted library names if a global Pipeline…

  • CVE-2022-25181HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.02

    A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global…

  • CVE-2022-25174HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.01

    Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM…

  • CVE-2022-25173HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.01

    Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the…

  • CVE-2022-20617HigJan 12, 2022
    risk 0.50cvss 8.8epss 0.02

    Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM…

  • CVE-2021-21695HigNov 4, 2021
    risk 0.50cvss 8.8epss 0.02

    FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-21679HigAug 31, 2021
    risk 0.50cvss 8.8epss 0.01

    Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

  • CVE-2021-21678HigAug 31, 2021
    risk 0.50cvss 8.8epss 0.01

    Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

  • CVE-2021-21677HigAug 31, 2021
    risk 0.50cvss 8.8epss 0.02

    Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

  • CVE-2021-21646HigApr 21, 2021
    risk 0.50cvss 8.8epss 0.02

    Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

  • CVE-2021-21633HigMar 30, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

  • CVE-2021-21629HigMar 30, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

  • CVE-2021-21627HigMar 18, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.

  • CVE-2021-21617HigFeb 24, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.

  • CVE-2020-2241HigSep 1, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials.

  • CVE-2020-2240HigSep 1, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.

  • CVE-2020-2189HigMay 6, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2180HigApr 16, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2179HigApr 16, 2020
    risk 0.50cvss 8.8epss 0.03

    Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2160HigMar 25, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

  • CVE-2020-2135HigMar 9, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

  • CVE-2020-2134HigMar 9, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.

  • CVE-2020-2123HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2120HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.01

    Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2115HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.01

    Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2110HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

  • CVE-2020-2109HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

  • CVE-2020-2097HigJan 15, 2020
    risk 0.50cvss 8.8epss 0.01

    Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

  • CVE-2020-2096MedJan 15, 2020
    risk 0.50cvss 6.1epss 0.89

    Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

  • CVE-2020-2093HigJan 15, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.

  • CVE-2020-2092HigJan 15, 2020
    risk 0.50cvss 8.8epss 0.01

    Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents.

  • CVE-2020-2090HigJan 15, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

  • CVE-2019-16553HigDec 17, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression.

  • CVE-2019-16551HigDec 17, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials.

  • CVE-2019-16550HigDec 17, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

  • CVE-2019-16548HigNov 21, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents.

  • CVE-2019-16538HigNov 21, 2019
    risk 0.50cvss 8.8epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2019-10471HigOct 23, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10449HigOct 16, 2019
    risk 0.50cvss 8.8epss 0.01

    Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10440HigOct 16, 2019
    risk 0.50cvss 8.8epss 0.01

    Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10437HigOct 16, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10390HigAug 28, 2019
    risk 0.50cvss 8.8epss 0.02

    A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

  • CVE-2019-10384HigAug 28, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

  • CVE-2019-10355HigJul 31, 2019
    risk 0.50cvss 8.8epss 0.03

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.

Page 6 of 32