Vendor CVEs
Jenkins Project
All CVEs
1,579 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-46654 | Hig | 0.46 | 8.1 | 0.01 | Oct 25, 2023 | Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the… | ||
| CVE-2023-37965 | Hig | 0.46 | 7.1 | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||
| CVE-2023-37949 | Hig | 0.46 | 7.1 | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in… | ||
| CVE-2023-28685 | Hig | 0.46 | 7.1 | 0.01 | Mar 22, 2023 | Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2022-45381 | Hig | 0.46 | 8.1 | 0.01 | Nov 15, 2022 | Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines… | ||
| CVE-2022-36881 | Hig | 0.46 | 8.1 | 0.01 | Jul 27, 2022 | Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. | ||
| CVE-2022-28140 | Hig | 0.46 | 8.1 | 0.01 | Mar 29, 2022 | Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2021-21686 | Hig | 0.46 | 8.1 | 0.02 | Nov 4, 2021 | File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. | ||
| CVE-2020-2321 | Hig | 0.46 | 8.1 | 0.01 | Dec 3, 2020 | A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project. | ||
| CVE-2020-2284 | Hig | 0.46 | 7.1 | 0.01 | Sep 23, 2020 | Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2020-2245 | Hig | 0.46 | 7.1 | 0.01 | Sep 1, 2020 | Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2020-2178 | Hig | 0.46 | 7.1 | 0.01 | Apr 16, 2020 | Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2020-2091 | Hig | 0.46 | 8.1 | 0.01 | Jan 15, 2020 | A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | ||
| CVE-2019-16561 | Hig | 0.46 | 7.1 | 0.01 | Dec 17, 2019 | Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM. | ||
| CVE-2019-16549 | Hig | 0.46 | 8.1 | 0.01 | Dec 17, 2019 | Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | ||
| CVE-2019-10462 | Hig | 0.46 | 8.1 | 0.01 | Oct 23, 2019 | A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-10446 | Hig | 0.46 | 8.2 | 0.01 | Oct 16, 2019 | Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. | ||
| CVE-2019-10327 | Hig | 0.46 | 8.1 | 0.01 | May 31, 2019 | An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses… | ||
| CVE-2019-1003049 | Hig | 0.46 | 8.1 | 0.02 | Apr 10, 2019 | Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject… | ||
| CVE-2019-1003011 | Hig | 0.46 | 8.1 | 0.02 | Feb 6, 2019 | An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/toke… | ||
| CVE-2018-1000414 | Hig | 0.46 | 8.1 | 0.01 | Jan 9, 2019 | A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions. | ||
| CVE-2022-41232 | Hig | 0.45 | 8.0 | 0.00 | Sep 21, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint. | ||
| CVE-2022-27198 | Hig | 0.45 | 8.0 | 0.00 | Mar 15, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. | ||
| CVE-2021-21605 | Hig | 0.45 | 8.0 | 0.02 | Jan 13, 2021 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. | ||
| CVE-2021-21604 | Hig | 0.45 | 8.0 | 0.02 | Jan 13, 2021 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. | ||
| CVE-2019-10300 | Hig | 0.45 | 8.0 | 0.01 | Apr 18, 2019 | A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through… | ||
| CVE-2019-10476 | Hig | 0.44 | 7.8 | 0.00 | Oct 23, 2019 | Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | ||
| CVE-2019-10460 | Hig | 0.44 | 7.8 | 0.00 | Oct 23, 2019 | Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | ||
| CVE-2018-1000423 | Hig | 0.44 | 7.8 | 0.00 | Jan 9, 2019 | An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd… | ||
| CVE-2018-1000410 | Hig | 0.44 | 7.8 | 0.00 | Jan 9, 2019 | An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers… | ||
| CVE-2017-2648 | Med | 0.44 | 6.8 | 0.01 | Jul 27, 2018 | It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks. | ||
| CVE-2026-48919 | Med | 0.43 | 6.6 | 0.00 | May 27, 2026 | Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | ||
| CVE-2026-48918 | Med | 0.43 | 6.6 | 0.00 | May 27, 2026 | Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. | ||
| CVE-2026-48917 | Med | 0.43 | 6.6 | 0.00 | May 27, 2026 | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | ||
| CVE-2026-48916 | Med | 0.43 | 6.6 | 0.00 | May 27, 2026 | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. | ||
| CVE-2026-57283 | mod | 0.42 | 6.5 | 0.00 | Jun 24, 2026 | jenkins-pipeline-groovy: Jenkins Pipeline: Groovy Plugin: Cross-site request forgery allows unauthorized configuration changes. | ||
| CVE-2026-42521 | Med | 0.42 | 6.5 | 0.00 | Apr 29, 2026 | Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers… | ||
| CVE-2023-49653 | Med | 0.42 | 6.5 | 0.01 | Nov 29, 2023 | Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | ||
| CVE-2023-46653 | Med | 0.42 | 6.5 | 0.00 | Oct 25, 2023 | Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure. | ||
| CVE-2023-41943 | Med | 0.42 | 6.5 | 0.01 | Sep 6, 2023 | Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. | ||
| CVE-2023-41938 | Med | 0.42 | 6.5 | 0.00 | Sep 6, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. | ||
| CVE-2023-41936 | Hig | 0.42 | 7.5 | 0.01 | Sep 6, 2023 | Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | ||
| CVE-2023-41932 | Med | 0.42 | 6.5 | 0.01 | Sep 6, 2023 | Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file… | ||
| CVE-2023-40347 | Med | 0.42 | 6.5 | 0.01 | Aug 16, 2023 | Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | ||
| CVE-2023-40345 | Med | 0.42 | 6.5 | 0.01 | Aug 16, 2023 | Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to. | ||
| CVE-2023-40340 | Hig | 0.42 | 7.5 | 0.01 | Aug 16, 2023 | Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. | ||
| CVE-2023-40339 | Hig | 0.42 | 7.5 | 0.01 | Aug 16, 2023 | Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | ||
| CVE-2023-39154 | Med | 0.42 | 6.5 | 0.00 | Jul 26, 2023 | Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing… | ||
| CVE-2023-39152 | Med | 0.42 | 6.5 | 0.01 | Jul 26, 2023 | Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances. | ||
| CVE-2023-37960 | Med | 0.42 | 6.5 | 0.01 | Jul 12, 2023 | Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file systems. |
- risk 0.46cvss 8.1epss 0.01
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the…
- risk 0.46cvss 7.1epss 0.01
A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- risk 0.46cvss 7.1epss 0.01
A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…
- risk 0.46cvss 7.1epss 0.01
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.46cvss 8.1epss 0.01
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines…
- risk 0.46cvss 8.1epss 0.01
Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.
- risk 0.46cvss 8.1epss 0.01
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.46cvss 8.1epss 0.02
File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.
- risk 0.46cvss 8.1epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
- risk 0.46cvss 7.1epss 0.01
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.46cvss 7.1epss 0.01
Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.46cvss 7.1epss 0.01
Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- risk 0.46cvss 8.1epss 0.01
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
- risk 0.46cvss 7.1epss 0.01
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.
- risk 0.46cvss 8.1epss 0.01
Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.
- risk 0.46cvss 8.1epss 0.01
A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.46cvss 8.2epss 0.01
Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.
- risk 0.46cvss 8.1epss 0.01
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses…
- risk 0.46cvss 8.1epss 0.02
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject…
- risk 0.46cvss 8.1epss 0.02
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/toke…
- risk 0.46cvss 8.1epss 0.01
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.
- risk 0.45cvss 8.0epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.
- risk 0.45cvss 8.0epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.
- risk 0.45cvss 8.0epss 0.02
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.
- risk 0.45cvss 8.0epss 0.02
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
- risk 0.45cvss 8.0epss 0.01
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…
- risk 0.44cvss 7.8epss 0.00
Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
- risk 0.44cvss 7.8epss 0.00
Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
- risk 0.44cvss 7.8epss 0.00
An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd…
- risk 0.44cvss 7.8epss 0.00
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers…
- risk 0.44cvss 6.8epss 0.01
It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
- risk 0.43cvss 6.6epss 0.00
Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
- risk 0.43cvss 6.6epss 0.00
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.
- risk 0.43cvss 6.6epss 0.00
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.
- risk 0.43cvss 6.6epss 0.00
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.
- risk 0.42cvss 6.5epss 0.00
jenkins-pipeline-groovy: Jenkins Pipeline: Groovy Plugin: Cross-site request forgery allows unauthorized configuration changes.
- risk 0.42cvss 6.5epss 0.00
Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers…
- risk 0.42cvss 6.5epss 0.01
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
- risk 0.42cvss 6.5epss 0.00
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.
- risk 0.42cvss 6.5epss 0.01
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.
- risk 0.42cvss 6.5epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.
- risk 0.42cvss 7.5epss 0.01
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.
- risk 0.42cvss 6.5epss 0.01
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file…
- risk 0.42cvss 6.5epss 0.01
Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
- risk 0.42cvss 6.5epss 0.01
Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.
- risk 0.42cvss 7.5epss 0.01
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
- risk 0.42cvss 7.5epss 0.01
Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.
- risk 0.42cvss 6.5epss 0.00
Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…
- risk 0.42cvss 6.5epss 0.01
Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.
- risk 0.42cvss 6.5epss 0.01
Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file systems.
Page 8 of 32