Filtered by vendor Jenkins Subscriptions
Total 1676 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-1000861 2 Jenkins, Redhat 3 Jenkins, Openshift, Openshift Container Platform 2025-07-28 9.8 Critical
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
CVE-2019-1003030 2 Jenkins, Redhat 3 Pipeline\, Openshift, Openshift Container Platform 2025-07-28 9.9 Critical
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
CVE-2019-1003029 2 Jenkins, Redhat 3 Script Security, Openshift, Openshift Container Platform 2025-07-28 9.9 Critical
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
CVE-2015-5317 2 Jenkins, Redhat 2 Jenkins, Openshift 2025-07-28 7.5 High
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 367 Http Server, Opensearch Data Prepper, Apisix and 364 more 2025-07-28 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2024-23897 2 Jenkins, Redhat 2 Jenkins, Ocp Tools 2025-07-28 9.8 Critical
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
CVE-2025-53670 1 Jenkins 1 Nouvola Divecloud 2025-07-18 6.5 Medium
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53669 1 Jenkins 1 Vaddy 2025-07-18 4.3 Medium
Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2025-53668 1 Jenkins 1 Vaddy 2025-07-18 6.5 Medium
Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53667 1 Jenkins 1 Dead Man\'s Snitch 2025-07-18 5.3 Medium
Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2025-53666 1 Jenkins 1 Dead Man\'s Snitch 2025-07-18 6.5 Medium
Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53665 1 Jenkins 1 Apica Loadtest 2025-07-18 4.3 Medium
Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2025-53664 1 Jenkins 1 Apica Loadtest 2025-07-18 6.5 Medium
Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53652 1 Jenkins 1 Git Parameter 2025-07-18 8.2 High
Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.
CVE-2025-53651 1 Jenkins 1 Html Publisher 2025-07-18 6.3 Medium
Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.
CVE-2025-53650 1 Jenkins 1 Credentials Binding 2025-07-18 7.3 High
Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.
CVE-2025-53653 1 Jenkins 1 Aqua Security Scanner 2025-07-18 4.3 Medium
Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53654 1 Jenkins 1 Statistics Gatherer 2025-07-18 6.5 Medium
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
CVE-2025-53655 1 Jenkins 1 Statistics Gatherer 2025-07-18 5.3 Medium
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.
CVE-2025-53660 1 Jenkins 1 Qmetry Test Management 2025-07-18 4.3 Medium
Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.