ReportizFlow
Filtered by vendor Jenkins
Subscriptions
Total
1749 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-24400 | 1 Jenkins | 1 Eiffel Broadcaster | 2025-10-03 | 4.3 Medium |
| Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | ||||
| CVE-2025-24401 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2025-10-03 | 6.8 Medium |
| Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | ||||
| CVE-2025-24402 | 1 Jenkins | 1 Azure Service Fabric | 2025-10-03 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. | ||||
| CVE-2025-24403 | 1 Jenkins | 1 Azure Service Fabric | 2025-10-03 | 4.3 Medium |
| A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. | ||||
| CVE-2024-2216 | 1 Jenkins | 1 Docker-build-step | 2025-09-18 | 8.8 High |
| A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. | ||||
| CVE-2024-2215 | 1 Jenkins | 1 Docker-build-step | 2025-09-18 | 6.1 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. | ||||
| CVE-2024-28152 | 1 Jenkins | 1 Bitbucket Branch Source | 2025-09-18 | 6.3 Medium |
| In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server. | ||||
| CVE-2024-28157 | 1 Jenkins | 1 Gitbucket | 2025-09-18 | 8.0 High |
| Jenkins GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | ||||
| CVE-2025-5806 | 1 Jenkins | 1 Gatling | 2025-09-17 | 8 High |
| Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. | ||||
| CVE-2021-28165 | 5 Eclipse, Jenkins, Netapp and 2 more | 28 Jetty, Jenkins, Cloud Manager and 25 more | 2025-08-28 | 7.5 High |
| In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | ||||
| CVE-2025-27622 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 4.3 Medium |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. | ||||
| CVE-2025-27623 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 4.3 Medium |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets. | ||||
| CVE-2025-27624 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets). | ||||
| CVE-2025-27625 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 4.3 Medium |
| In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret these characters as part of scheme-relative redirects. | ||||
| CVE-2024-23905 | 1 Jenkins | 1 Red Hat Dependency Analytics | 2025-06-20 | 5.4 Medium |
| Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | ||||
| CVE-2024-23904 | 1 Jenkins | 1 Log Command | 2025-06-20 | 7.5 High |
| Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. | ||||
| CVE-2024-23898 | 2 Jenkins, Redhat | 2 Jenkins, Ocp Tools | 2025-06-20 | 8.8 High |
| Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller. | ||||
| CVE-2024-23900 | 2 Jenkins, Redhat | 2 Matrix Project, Ocp Tools | 2025-06-16 | 4.3 Medium |
| Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers. | ||||
| CVE-2025-47884 | 1 Jenkins | 1 Openid Connect Provider | 2025-06-12 | 9.1 Critical |
| In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services. | ||||
| CVE-2025-47885 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2025-06-12 | 8.8 High |
| Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. | ||||