Skip to main content

Jenkins Contrast Continuous Application Security Plugin

3 CVEs product

Monthly

CVE-2026-57299 MEDIUM This Month

Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. No public exploit code and no CISA KEV listing have been identified, making this a low-urgency but real information-disclosure concern for multi-tenant Jenkins environments with untrusted users.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57298 MEDIUM This Month

Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. No public exploit code or confirmed active exploitation has been identified at time of analysis, and SSVC rates exploitation likelihood as none with partial technical impact.

CSRF Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57297 MEDIUM This Month

Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authenticated Jenkins user holding the minimal Overall/Read permission to invoke a connection test endpoint with fully attacker-controlled URL, username, API key, and service key. This enables the Jenkins server to make arbitrary outbound HTTP connections - a Server-Side Request Forgery (SSRF)-class impact - without the elevated privileges that should guard such functionality. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating low current exploitation probability despite network reachability.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. No public exploit code and no CISA KEV listing have been identified, making this a low-urgency but real information-disclosure concern for multi-tenant Jenkins environments with untrusted users.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. No public exploit code or confirmed active exploitation has been identified at time of analysis, and SSVC rates exploitation likelihood as none with partial technical impact.

CSRF Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authenticated Jenkins user holding the minimal Overall/Read permission to invoke a connection test endpoint with fully attacker-controlled URL, username, API key, and service key. This enables the Jenkins server to make arbitrary outbound HTTP connections - a Server-Side Request Forgery (SSRF)-class impact - without the elevated privileges that should guard such functionality. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating low current exploitation probability despite network reachability.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy