Filtered by vendor Jenkins
Subscribe
Total
1744 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36912 | 1 Jenkins | 1 Openstack Heat | 2025-05-05 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
|
|||||
| CVE-2025-32754 | 1 Jenkins | 1 Ssh-agent | 2025-05-02 | N/A | 9.1 CRITICAL |
|
In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
|
|||||
| CVE-2023-43496 | 1 Jenkins | 1 Jenkins | 2025-05-02 | N/A | 8.8 HIGH |
|
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
|
|||||
| CVE-2025-32755 | 1 Jenkins | 1 Ssh-slave | 2025-05-02 | N/A | 9.1 CRITICAL |
|
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
|
|||||
| CVE-2022-45391 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-04-30 | N/A | 7.5 HIGH |
|
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
|
|||||
| CVE-2022-45390 | 1 Jenkins | 1 Loader.io | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-45389 | 1 Jenkins | 1 Xp-dev | 2025-04-30 | N/A | 5.3 MEDIUM |
|
A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.
|
|||||
| CVE-2022-45388 | 1 Jenkins | 1 Config Rotator | 2025-04-30 | N/A | 7.5 HIGH |
|
Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.
|
|||||
| CVE-2022-45387 | 1 Jenkins | 1 Bart | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2022-45386 | 1 Jenkins | 1 Violations | 2025-04-30 | N/A | 5.5 MEDIUM |
|
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45385 | 1 Jenkins | 1 Cloudbees Docker Hub\/registry Notification | 2025-04-30 | N/A | 7.5 HIGH |
|
A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
|
|||||
| CVE-2022-45384 | 1 Jenkins | 1 Reverse Proxy Auth | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
|
|||||
| CVE-2022-45395 | 1 Jenkins | 1 Cccc | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45394 | 1 Jenkins | 1 Delete Log | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.
|
|||||
| CVE-2022-45393 | 1 Jenkins | 1 Delete Log | 2025-04-30 | N/A | 3.5 LOW |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.
|
|||||
| CVE-2022-45392 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
|
|||||
| CVE-2022-45401 | 1 Jenkins | 1 Associated Files | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-45400 | 1 Jenkins | 1 Japex | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45399 | 1 Jenkins | 1 Cluster Statistics | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.
|
|||||
| CVE-2022-45398 | 1 Jenkins | 1 Cluster Statistics | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.
|
|||||
| CVE-2022-45397 | 1 Jenkins | 1 Osf Builder Suite \ | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-38666 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-04-30 | N/A | 7.5 HIGH |
|
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.
|
|||||
| CVE-2022-45381 | 1 Jenkins | 1 Pipeline Utility Steps | 2025-04-30 | N/A | 8.1 HIGH |
|
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
|
|||||
| CVE-2022-45380 | 1 Jenkins | 1 Junit | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-45383 | 1 Jenkins | 1 Support Core | 2025-04-30 | N/A | 6.5 MEDIUM |
|
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.
|
|||||
| CVE-2022-45382 | 1 Jenkins | 1 Naginator | 2025-04-30 | N/A | 5.4 MEDIUM |
|
Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.
|
|||||
| CVE-2025-31720 | 1 Jenkins | 1 Jenkins | 2025-04-29 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.
|
|||||
| CVE-2025-31721 | 1 Jenkins | 1 Jenkins | 2025-04-29 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
|
|||||
| CVE-2025-31722 | 1 Jenkins | 1 Templating Engine | 2025-04-29 | N/A | 8.8 HIGH |
|
In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
|
|||||
| CVE-2022-46688 | 1 Jenkins | 1 Sonar Gerrit | 2025-04-23 | N/A | 6.5 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
|
|||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.
|
|||||
| CVE-2022-46686 | 1 Jenkins | 1 Custom Build Properties | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
|
|||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2022-46683 | 1 Jenkins | 1 Google Login | 2025-04-23 | N/A | 6.1 MEDIUM |
|
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
|
|||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | N/A | 9.8 CRITICAL |
|
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2017-1000244 | 1 Jenkins | 1 Favorite | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification
|
|||||
| CVE-2017-1000084 | 1 Jenkins | 1 Parameterized Trigger | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.
|
|||||
| CVE-2017-1000108 | 1 Jenkins | 1 Pipeline-input-step | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead.
|
|||||
| CVE-2016-3102 | 1 Jenkins | 1 Script Security | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
|
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
|
|||||