VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2019-10348HigJul 11, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10347HigJul 11, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10340HigJul 11, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another…

  • CVE-2019-10329HigMay 31, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins InfluxDB Plugin 1.21 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10318HigApr 30, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.

  • CVE-2019-10301HigApr 18, 2019
    risk 0.50cvss 8.8epss 0.01

    A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…

  • CVE-2019-10286HigApr 4, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10282HigApr 4, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-1003064HigApr 4, 2019
    risk 0.50cvss 8.8epss 0.01

    Jenkins aws-device-farm Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-1003063HigApr 4, 2019
    risk 0.50cvss 8.8epss 0.01

    Jenkins Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-1003061HigApr 4, 2019
    risk 0.50cvss 8.8epss 0.01

    Jenkins jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-1003033HigMar 8, 2019
    risk 0.50cvss 8.8epss 0.03

    A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

  • CVE-2019-1003025HigFeb 20, 2019
    risk 0.50cvss 8.8epss 0.01

    A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs…

  • CVE-2019-1003024HigFeb 20, 2019
    risk 0.50cvss 8.8epss 0.03

    A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the…

  • CVE-2019-1003006HigFeb 6, 2019
    risk 0.50cvss 8.8epss 0.02

    A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code…

  • CVE-2018-1000412HigJan 9, 2019
    risk 0.50cvss 8.8epss 0.01

    An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,…

  • CVE-2015-7538HigFeb 3, 2016
    risk 0.50cvss 8.8epss 0.02

    Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

  • CVE-2015-7537HigFeb 3, 2016
    risk 0.50cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

  • CVE-2026-48922HigMay 27, 2026
    risk 0.49cvss 7.5epss 0.00

    Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to…

  • CVE-2026-48921HigMay 27, 2026
    risk 0.49cvss 7.5epss 0.00

    Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

  • CVE-2026-42520HigApr 29, 2026
    risk 0.49cvss 7.5epss 0.00

    Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code…

  • CVE-2024-23904HigJan 24, 2024
    risk 0.49cvss 7.5epss 0.01

    Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins…

  • CVE-2023-41937HigSep 6, 2023
    risk 0.49cvss 7.5epss 0.01

    Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials…

  • CVE-2023-41935HigSep 6, 2023
    risk 0.49cvss 7.5epss 0.01

    Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to…

  • CVE-2023-33001HigMay 16, 2023
    risk 0.49cvss 7.5epss 0.01

    Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

  • CVE-2023-33000HigMay 16, 2023
    risk 0.49cvss 7.5epss 0.01

    Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-30515HigApr 12, 2023
    risk 0.49cvss 7.5epss 0.00

    Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

  • CVE-2023-30514HigApr 12, 2023
    risk 0.49cvss 7.5epss 0.00

    Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

  • CVE-2023-30513HigApr 12, 2023
    risk 0.49cvss 7.5epss 0.00

    Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

  • CVE-2023-28680HigApr 2, 2023
    risk 0.49cvss 7.5epss 0.01

    Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45388HigNov 15, 2022
    risk 0.49cvss 7.5epss 0.01

    Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

  • CVE-2022-43429HigOct 19, 2022
    risk 0.49cvss 7.5epss 0.01

    Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

  • CVE-2022-23116HigJan 12, 2022
    risk 0.49cvss 7.5epss 0.01

    Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

  • CVE-2021-21642HigApr 21, 2021
    risk 0.49cvss 8.1epss 0.38

    Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2019-20864HigJun 19, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account.

  • CVE-2020-2165HigMar 25, 2020
    risk 0.49cvss 7.5epss 0.01

    Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2012-0785HigFeb 24, 2020
    risk 0.49cvss 7.5epss 0.03

    Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack."

  • CVE-2020-2108HigJan 29, 2020
    risk 0.49cvss 7.6epss 0.01

    Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.

  • CVE-2020-2099HigJan 29, 2020
    risk 0.49cvss 8.6epss 0.01

    Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to…

  • CVE-2015-1811HigJan 15, 2020
    risk 0.49cvss 7.5epss 0.01

    XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.

  • CVE-2015-1809HigJan 15, 2020
    risk 0.49cvss 7.5epss 0.01

    XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.

  • CVE-2019-10435HigOct 1, 2019
    risk 0.49cvss 7.5epss 0.01

    Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

  • CVE-2019-10434HigOct 1, 2019
    risk 0.49cvss 7.5epss 0.01

    Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-10428HigSep 25, 2019
    risk 0.49cvss 7.5epss 0.01

    Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-10381HigAug 7, 2019
    risk 0.49cvss 7.5epss 0.01

    Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2017-1000108HigOct 5, 2017
    risk 0.49cvss 7.5epss 0.01

    The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead.

  • CVE-2017-1000092HigOct 5, 2017
    risk 0.49cvss 7.5epss 0.01

    Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a…

  • CVE-2022-30945HigMay 17, 2022
    risk 0.48cvss 8.5epss 0.01

    Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

  • CVE-2019-10475MedOct 23, 2019
    risk 0.47cvss 6.1epss 0.58

    A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

  • CVE-2019-1003004HigJan 22, 2019
    risk 0.47cvss 7.2epss 0.02

    An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user…

Page 7 of 32