VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2023-46654HigOct 25, 2023
    risk 0.46cvss 8.1epss 0.01

    Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the…

  • CVE-2023-37965HigJul 12, 2023
    risk 0.46cvss 7.1epss 0.01

    A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-37949HigJul 12, 2023
    risk 0.46cvss 7.1epss 0.01

    A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2023-28685HigMar 22, 2023
    risk 0.46cvss 7.1epss 0.01

    Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45381HigNov 15, 2022
    risk 0.46cvss 8.1epss 0.01

    Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines…

  • CVE-2022-36881HigJul 27, 2022
    risk 0.46cvss 8.1epss 0.01

    Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

  • CVE-2022-28140HigMar 29, 2022
    risk 0.46cvss 8.1epss 0.01

    Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21686HigNov 4, 2021
    risk 0.46cvss 8.1epss 0.02

    File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.

  • CVE-2020-2321HigDec 3, 2020
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.

  • CVE-2020-2284HigSep 23, 2020
    risk 0.46cvss 7.1epss 0.01

    Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2245HigSep 1, 2020
    risk 0.46cvss 7.1epss 0.01

    Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2178HigApr 16, 2020
    risk 0.46cvss 7.1epss 0.01

    Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2091HigJan 15, 2020
    risk 0.46cvss 8.1epss 0.01

    A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

  • CVE-2019-16561HigDec 17, 2019
    risk 0.46cvss 7.1epss 0.01

    Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.

  • CVE-2019-16549HigDec 17, 2019
    risk 0.46cvss 8.1epss 0.01

    Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.

  • CVE-2019-10462HigOct 23, 2019
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10446HigOct 16, 2019
    risk 0.46cvss 8.2epss 0.01

    Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2019-10327HigMay 31, 2019
    risk 0.46cvss 8.1epss 0.01

    An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses…

  • CVE-2019-1003049HigApr 10, 2019
    risk 0.46cvss 8.1epss 0.02

    Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject…

  • CVE-2019-1003011HigFeb 6, 2019
    risk 0.46cvss 8.1epss 0.02

    An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/toke…

  • CVE-2018-1000414HigJan 9, 2019
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.

  • CVE-2022-41232HigSep 21, 2022
    risk 0.45cvss 8.0epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.

  • CVE-2022-27198HigMar 15, 2022
    risk 0.45cvss 8.0epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

  • CVE-2021-21605HigJan 13, 2021
    risk 0.45cvss 8.0epss 0.02

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

  • CVE-2021-21604HigJan 13, 2021
    risk 0.45cvss 8.0epss 0.02

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

  • CVE-2019-10300HigApr 18, 2019
    risk 0.45cvss 8.0epss 0.01

    A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…

  • CVE-2019-10476HigOct 23, 2019
    risk 0.44cvss 7.8epss 0.00

    Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10460HigOct 23, 2019
    risk 0.44cvss 7.8epss 0.00

    Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2018-1000423HigJan 9, 2019
    risk 0.44cvss 7.8epss 0.00

    An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd…

  • CVE-2018-1000410HigJan 9, 2019
    risk 0.44cvss 7.8epss 0.00

    An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers…

  • CVE-2017-2648MedJul 27, 2018
    risk 0.44cvss 6.8epss 0.01

    It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.

  • CVE-2026-48919MedMay 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.

  • CVE-2026-48918MedMay 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.

  • CVE-2026-48917MedMay 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.

  • CVE-2026-48916MedMay 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.

  • CVE-2026-57283modJun 24, 2026
    risk 0.42cvss 6.5epss 0.00

    jenkins-pipeline-groovy: Jenkins Pipeline: Groovy Plugin: Cross-site request forgery allows unauthorized configuration changes.

  • CVE-2026-42521MedApr 29, 2026
    risk 0.42cvss 6.5epss 0.00

    Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers…

  • CVE-2023-49653MedNov 29, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

  • CVE-2023-46653MedOct 25, 2023
    risk 0.42cvss 6.5epss 0.00

    Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.

  • CVE-2023-41943MedSep 6, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.

  • CVE-2023-41938MedSep 6, 2023
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.

  • CVE-2023-41936HigSep 6, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.

  • CVE-2023-41932MedSep 6, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file…

  • CVE-2023-40347MedAug 16, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

  • CVE-2023-40345MedAug 16, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.

  • CVE-2023-40340HigAug 16, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

  • CVE-2023-40339HigAug 16, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

  • CVE-2023-39154MedJul 26, 2023
    risk 0.42cvss 6.5epss 0.00

    Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2023-39152MedJul 26, 2023
    risk 0.42cvss 6.5epss 0.01

    Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.

  • CVE-2023-37960MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file systems.

Page 8 of 32