ReportizFlow
Filtered by vendor Jenkins
Subscriptions
Total
1756 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-31720 | 1 Jenkins | 1 Jenkins | 2025-04-29 | 4.3 Medium |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. | ||||
| CVE-2025-31721 | 1 Jenkins | 1 Jenkins | 2025-04-29 | 4.3 Medium |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. | ||||
| CVE-2022-46688 | 1 Jenkins | 1 Sonar Gerrit | 2025-04-23 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | ||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2025-04-23 | 5.4 Medium |
| Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. | ||||
| CVE-2022-46686 | 1 Jenkins | 1 Custom Build Properties | 2025-04-23 | 5.4 Medium |
| Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. | ||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2025-04-23 | 5.4 Medium |
| Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-46683 | 1 Jenkins | 1 Google Login | 2025-04-23 | 6.1 Medium |
| Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | ||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | 9.8 Critical |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2017-1000090 | 1 Jenkins | 1 Role-based Authorization Strategy | 2025-04-20 | N/A |
| Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. | ||||
| CVE-2017-1000087 | 1 Jenkins | 1 Github Branch Source | 2025-04-20 | N/A |
| GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. | ||||
| CVE-2016-4986 | 1 Jenkins | 1 Tap | 2025-04-20 | 7.5 High |
| Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter. | ||||
| CVE-2017-1000108 | 1 Jenkins | 1 Pipeline-input-step | 2025-04-20 | N/A |
| The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead. | ||||
| CVE-2017-1000245 | 1 Jenkins | 1 Ssh | 2025-04-20 | N/A |
| The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file. | ||||
| CVE-2017-1000104 | 1 Jenkins | 1 Config File Provider | 2025-04-20 | N/A |
| The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files. | ||||
| CVE-2017-1000093 | 1 Jenkins | 1 Poll Scm | 2025-04-20 | N/A |
| Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. | ||||
| CVE-2017-1000102 | 1 Jenkins | 1 Static Analysis Utilities | 2025-04-20 | N/A |
| The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view. | ||||
| CVE-2017-1000244 | 1 Jenkins | 1 Favorite | 2025-04-20 | N/A |
| Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification | ||||
| CVE-2017-1000242 | 1 Jenkins | 1 Git Client | 2025-04-20 | N/A |
| Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure | ||||
| CVE-2017-1000107 | 1 Jenkins | 1 Script Security | 2025-04-20 | N/A |
| Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. | ||||
| CVE-2017-1000094 | 1 Jenkins | 1 Docker Commons | 2025-04-20 | N/A |
| Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. | ||||