Jenkins

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/27. Perl allow OS command injection via send_file() (Stig Palmquist <stig@...g.io>) Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download (Douglas Bagnall <douglas.bagnall@...alyst.net.nz>) Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>) ARTEMIS-5996: CVE-2026-40914: Apache Artemis, Apache ActiveMQ Artemis: Address routing-type can be updated by STOMP protoc… (Justin Bertram <jbertram@...che.org>) [OSSA-2026-014] OpenStack Swift: Swift proxy-server denial of service via truncated s3api chunked upload (CVE-2026-4901… (Goutham Pacha Ravi <gouthampravi@...il.…) 9

Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.

Stored cross-site scripting in Jenkins buildgraph-view Plugin 1.8 and earlier allows authenticated attackers with job or view configuration privileges to inject persistent malicious scripts via an unescaped build URL. Any Jenkins user who subsequently views the affected build graph page triggers execution of the attacker-controlled script in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is known; SSVC rates exploitation status as none with partial technical impact.

Jenkins Job Import Plugin version 143.v044a_2e819b_27 and earlier exposes credentials ID enumeration to any authenticated user holding the minimal Overall/Read permission due to a missing permission check on an HTTP endpoint. Any low-privileged Jenkins user can query this endpoint and retrieve the IDs of all credentials stored in the Jenkins credentials store, enabling reconnaissance for follow-on credential-targeting attacks. No public exploit has been identified at time of analysis, CISA has not listed this in KEV, and SSVC rates exploitation status as none with partial technical impact.

Cross-site request forgery in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows unauthenticated remote attackers to trigger unauthorized pull request builds by tricking an authenticated Jenkins user into visiting a crafted page. The vulnerability stems from missing CSRF token validation on the endpoint that triggers pull request builds. With CVSS 4.3 (Medium) and no public exploit or KEV listing identified at time of analysis, this represents a moderate-integrity risk primarily in CI/CD pipeline environments where unauthorized build execution could be leveraged for resource abuse or workflow manipulation.

Open redirect vulnerability in Jenkins Bitbucket OAuth Plugin 0.17 and earlier enables unauthenticated network attackers to craft login URLs that redirect authenticated victims to arbitrary, attacker-controlled destinations, facilitating phishing campaigns targeting Jenkins users. The plugin fails to validate or restrict the post-login redirect URL parameter, classified under CWE-601. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.3 Medium rating reflects network reachability offset by a mandatory user interaction requirement.

Missing permission check in Jenkins AppSpider Plugin 1.0.17 and earlier allows any authenticated user with Overall/Read permission to force the Jenkins server to initiate connections to arbitrary attacker-specified URLs via a form validation endpoint. This constitutes a server-side request forgery (SSRF)-class primitive - an attacker can leverage this to probe internal network services, perform port scanning, or interact with internal infrastructure reachable by the Jenkins host. No public exploit has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who can supply file or zip-file credentials to a job write files to attacker-chosen paths on the node filesystem, escalating to remote code execution when Jenkins is configured to let a low-privileged user configure such credentials for a job running on the built-in node. The flaw stems from missing file-name sanitization on the file and zip credential types. Rated CVSS 7.5 with high attack complexity (AC:H); no public exploit identified at time of analysis and the issue is not in CISA KEV.

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.

Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrative credentials to achieve full system compromise by manipulating the LDAP referral processing path. The plugin deserializes data received from LDAP referrals without validation (CWE-502), which can enable arbitrary code execution on the Jenkins controller. No public exploit exists at time of analysis, and CISA SSVC assesses this as not automatable, though technical impact is rated total - making it a targeted rather than opportunistic threat.

Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to abuse the plugin's default LDAP referral-following behavior to force Jenkins to issue out-of-band requests to attacker-controlled or internal network hosts. The vulnerability (CWE-918) stems from the plugin not restricting LDAP referrals by default, which can be weaponized to pivot from the Jenkins server into internal infrastructure. No public exploit code exists and SSVC confirms no known active exploitation, but the technical impact is rated total - confidentiality, integrity, and availability are all at risk if exploitation succeeds.

Jenkins LDAP Plugin versions up to and including 807.v7d7de30930cf deserializes Java objects returned via LDAP referral responses without any validation, exposing the underlying Jenkins instance to potential remote code execution via classic Java deserialization gadget chains. Exploitation is constrained by a high privilege requirement and high attack complexity (CVSS PR:H/AC:H), limiting realistic scenarios to attackers who already hold Jenkins administrative credentials or can manipulate LDAP referral destinations. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery, allowing a highly privileged attacker who controls LDAP configuration to force the Jenkins server to initiate connections to arbitrary internal hosts by supplying a malicious LDAP server that returns crafted referrals. The CVSS score of 6.6 reflects genuine constraints: network-reachable but requiring both high privileges and high attack complexity, with High confidentiality, integrity, and availability impact if those barriers are cleared. SSVC assessment confirms no current exploitation and a non-automatable attack path, though technical impact is rated total; no public exploit code has been identified at time of analysis.

Cross-proxy Digest authentication state leak in curl allows remote attackers to obtain sensitive authentication credentials when curl is used with proxy authentication across multiple proxy hops. The vulnerability affects curl versions from 7.12.0 through 8.19.0 due to improper handling of Digest authentication state between proxies, enabling credential disclosure with network-level access and no authentication requirements. EPSS score of 0.03% suggests low real-world exploitation probability despite the information disclosure impact.

Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

The Jenkins LoadNinja Plugin version 2.1 and earlier fails to mask LoadNinja API keys displayed on the job configuration form, allowing attackers with access to the Jenkins web interface to observe and capture sensitive credentials. This information disclosure vulnerability affects Jenkins administrators and users with job configuration visibility, enabling credential theft that could lead to unauthorized access to LoadNinja services and associated testing infrastructure. No CVSS score, EPSS data, or active exploitation status (KEV listing) is currently available in public sources.

The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job configuration files (config.xml) on the Jenkins controller, allowing unauthorized disclosure of sensitive credentials. Users with Item/Extended Read permission on Jenkins jobs or direct file system access to the controller can extract these API keys, potentially leading to account compromise and unauthorized access to LoadNinja services. This is a straightforward credential exposure vulnerability with no complexity barriers to exploitation once access is gained.

Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team.

Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms.

Jenkins versions 2.550 and earlier fail to properly validate Run Parameter access controls, allowing authenticated users with Item/Build and Item/Configure permissions to enumerate sensitive information about jobs, builds, and their display names they should not have access to. This information disclosure vulnerability affects Jenkins LTS 2.541.1 and earlier, with no patch currently available. Attackers can exploit this to gather intelligence about build infrastructure by referencing builds outside their authorized scope.

Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability.

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. [CVSS 7.5 HIGH]

Jervis versions up to 2.2 is affected by improper verification of cryptographic signature (CVSS 5.3).

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. [CVSS 7.5 HIGH]

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). [CVSS 7.5 HIGH]

Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

A remote code execution vulnerability in BlazeMeter Jenkins Plugin (CVSS 5.3) that allows users only with certain permissions. Remediation should follow standard vulnerability management procedures.

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

CVE-2025-53677 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

CVE-2025-53675 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

CVE-2025-53674 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

CVE-2025-53671 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53669 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53665 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

CVE-2025-53664 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53662 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2025-53660 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2025-53656 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

CVE-2025-53655 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.

CVE-2025-53651 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.

A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information.

A cross-site scripting vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation.

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.