Skip to main content

Jenkins

1691 CVEs vendor

Monthly

CVE-2018-1000194 Maven HIGH PATCH This Week

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Java Jenkins Path Traversal Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
8.1
EPSS
2.6%
CVE-2018-1000193 Maven MEDIUM PATCH This Month

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Java Jenkins Information Disclosure Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2018-1000192 Maven MEDIUM PATCH This Month

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Java Jenkins Information Disclosure Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2018-1000191 Maven MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Black Duck Detect Plugin 1.4.0 and older in DetectPostBuildStepDescriptor.java that allows attackers with Overall/Read access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Synopsys Detect
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-1000190 Maven MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Black Duck Hub
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-1000189 Maven HIGH PATCH This Week

A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Absint Astree
NVD
CVSS 3.0
8.8
EPSS
2.0%
CVE-2018-1000188 Maven MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF Cas
NVD
CVSS 3.0
5.4
EPSS
0.6%
CVE-2018-1000187 Maven MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Kubernetes Jenkins Information Disclosure
NVD
CVSS 3.0
6.5
EPSS
1.3%
CVE-2018-1000186 Maven MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Github Pull Request Builder
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-1000185 Maven MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF Github Branch Source
NVD
CVSS 3.0
4.3
EPSS
0.6%
CVE-2018-1000184 Maven MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF Github
NVD
CVSS 3.0
5.4
EPSS
0.6%
CVE-2018-1000183 Maven MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Github
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-1000182 Maven MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF Git
NVD
CVSS 3.0
6.4
EPSS
0.8%
CVE-2018-1000177 Maven MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS S3 Publisher
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-1000176 Maven MEDIUM PATCH This Month

An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Email Extension
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-1000175 Maven MEDIUM PATCH This Month

A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Path Traversal Html Publisher
NVD
CVSS 3.0
6.5
EPSS
2.7%
CVE-2018-1000174 Maven MEDIUM PATCH This Month

An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Java Jenkins Open Redirect Google Login
NVD
CVSS 3.0
6.1
EPSS
1.0%
CVE-2018-1000173 Maven MEDIUM PATCH This Month

A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Jenkins Java Google Authentication Bypass +1
NVD
CVSS 3.0
5.9
EPSS
1.6%
CVE-2018-1000170 Maven MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2018-1000169 Maven MEDIUM PATCH This Month

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure
NVD
CVSS 3.0
5.3
EPSS
1.4%
CVE-2018-1000153 Maven HIGH PATCH This Week

A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java CSRF Jenkins Denial Of Service Vsphere
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2018-1000152 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java,. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Denial Of Service Vsphere
NVD
CVSS 3.0
6.3
EPSS
0.7%
CVE-2018-1000151 Maven MEDIUM PATCH This Month

A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Jenkins Information Disclosure Vsphere
NVD
CVSS 3.0
5.6
EPSS
0.4%
CVE-2018-1000150 Maven LOW PATCH Monitor

An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Reverse Proxy Auth
NVD
CVSS 3.0
3.3
EPSS
0.3%
CVE-2018-1000149 Maven MEDIUM PATCH This Month

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java,. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Jenkins Information Disclosure Ansible
NVD
CVSS 3.0
5.6
EPSS
0.7%
CVE-2018-1000148 Maven MEDIUM This Month

An exposure of sensitive information vulnerability exists in Jenkins Copy To Slave Plugin version 1.4.4 and older in CopyToSlaveBuildWrapper.java that allows attackers with permission to configure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Copy To Slave
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-1000147 Maven MEDIUM This Month

An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with insufficient permission to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Perforce
NVD
CVSS 3.0
6.5
EPSS
0.9%
CVE-2018-1000146 Maven HIGH PATCH This Week

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins RCE Liquibase Runner
NVD
CVSS 3.0
8.8
EPSS
1.6%
CVE-2018-1000145 Maven MEDIUM This Month

An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Perforce
NVD
CVSS 3.0
6.5
EPSS
1.1%
CVE-2018-1000144 Maven MEDIUM PATCH This Month

A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XSS Cucumber Living Documentation
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-1000143 Maven MEDIUM PATCH This Month

An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Github Pull Request Builder
NVD
CVSS 3.0
6.7
EPSS
0.4%
CVE-2018-1000142 Maven HIGH PATCH This Week

An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Github Pull Request Builder
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2018-8718 Maven HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Jenkins Mailer
NVD Exploit-DB
CVSS 3.0
8.0
EPSS
6.8%
CVE-2018-1000114 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Promoted Builds
NVD
CVSS 3.0
4.3
EPSS
0.6%
CVE-2018-1000113 Maven MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Testlink
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-1000112 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Mercurial
NVD
CVSS 3.0
5.3
EPSS
1.0%
CVE-2018-1000111 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Subversion
NVD
CVSS 3.0
5.3
EPSS
0.9%
CVE-2018-1000110 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Git
NVD
CVSS 3.0
5.3
EPSS
4.0%
CVE-2018-1000109 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Authentication Bypass Jenkins Java Google Play Android Publisher
NVD
CVSS 3.0
4.3
EPSS
0.7%
CVE-2018-1000108 Maven MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XSS Cppncss
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-1000107 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Job And Node Ownership
NVD
CVSS 3.0
6.5
EPSS
0.7%
CVE-2018-1000106 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Gerrit Trigger
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2018-1000105 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins Gerrit Trigger
NVD
CVSS 3.0
4.3
EPSS
0.7%
CVE-2018-1000104 Maven HIGH PATCH This Week

A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Coverity
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2018-6356 Maven MEDIUM PATCH This Month

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Microsoft Jenkins Path Traversal Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
6.5
EPSS
3.9%
CVE-2018-1000068 Maven MEDIUM PATCH This Month

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2018-1000067 Maven MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Jenkins SSRF Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
5.3
EPSS
1.7%
CVE-2018-1000058 Maven HIGH PATCH This Week

Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Deserialization RCE Pipeline Supporting Apis
NVD
CVSS 3.0
8.8
EPSS
2.6%
CVE-2018-1000057 Maven MEDIUM PATCH This Month

Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Credentials Binding
NVD
CVSS 3.0
4.3
EPSS
0.7%
CVE-2018-1000056 Maven HIGH PATCH This Week

Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Junit
NVD
CVSS 3.0
8.3
EPSS
1.1%
CVE-2018-1000055 Maven HIGH PATCH This Week

Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Jenkins XXE SSRF Android Lint
NVD
CVSS 3.0
8.3
EPSS
0.9%
CVE-2018-1000054 Maven HIGH PATCH This Week

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Ccm
NVD
CVSS 3.0
8.3
EPSS
0.9%
CVE-2018-1000015 Maven MEDIUM PATCH This Month

On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Pipeline Nodes And Processes
NVD
CVSS 3.0
4.8
EPSS
1.0%
CVE-2018-1000014 Maven HIGH PATCH This Week

Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Translation Assistance
NVD
CVSS 3.0
8.8
EPSS
0.8%
CVE-2018-1000013 Maven HIGH PATCH This Week

Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Release
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2018-1000012 Maven HIGH PATCH This Week

Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Warnings
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2018-1000011 Maven HIGH This Week

Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Findbugs
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2018-1000010 Maven HIGH PATCH This Week

Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Dry
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2018-1000009 Maven HIGH PATCH This Week

Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Checkstyle
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2018-1000008 Maven HIGH PATCH This Week

Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Pmd
NVD
CVSS 3.0
8.8
EPSS
1.2%
CVE-2017-17383 Maven MEDIUM PATCH This Month

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Jenkins
NVD
CVSS 3.0
4.7
EPSS
0.2%
CVE-2017-1000244 Maven HIGH PATCH This Week

Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Favorite
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-1000243 Maven MEDIUM PATCH This Month

Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Jenkins Favorite Plugin
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2017-1000242 Maven LOW PATCH Monitor

Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Git Client
NVD
CVSS 3.0
3.3
EPSS
0.0%
CVE-2017-1000114 Maven LOW PATCH Monitor

The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

XSS Jenkins Information Disclosure Datadog
NVD
CVSS 3.0
3.1
EPSS
0.0%
CVE-2017-1000113 Maven MEDIUM PATCH This Month

The Deploy to container Plugin stored passwords unencrypted as part of its configuration. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Deploy
NVD
CVSS 3.0
5.5
EPSS
0.0%
CVE-2017-1000110 Maven MEDIUM PATCH This Month

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Jenkins Blue Ocean
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2017-1000106 Maven HIGH PATCH This Week

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Jenkins Blue Ocean
NVD
CVSS 3.0
8.5
EPSS
0.0%
CVE-2017-1000104 Maven MEDIUM PATCH This Month

The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Jenkins Privilege Escalation Config File Provider
NVD
CVSS 3.0
6.5
EPSS
0.0%
CVE-2017-1000096 Maven HIGH PATCH This Week

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE Jenkins Pipeline
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-1000093 Maven HIGH PATCH This Week

Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Poll Scm
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-1000092 Maven HIGH PATCH This Week

Git Plugin connects to a user-specified Git repository as part of form validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Git
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2017-1000091 Maven MEDIUM PATCH This Month

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Github Branch Source
NVD
CVSS 3.0
6.3
EPSS
0.1%
CVE-2017-1000090 Maven HIGH PATCH This Week

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Role Based Authorization Strategy
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-1000089 Maven MEDIUM PATCH This Month

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Jenkins Privilege Escalation Pipeline
NVD
CVSS 3.0
5.3
EPSS
0.0%
CVE-2017-1000085 Maven MEDIUM PATCH This Month

Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Subversion
NVD
CVSS 3.0
6.5
EPSS
0.1%
CVE-2017-1000084 Maven MEDIUM PATCH This Month

Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Jenkins Privilege Escalation Parameterized Trigger
NVD
CVSS 3.0
6.5
EPSS
0.0%
CVE-2014-9635 Maven MEDIUM PATCH This Month

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Jenkins Information Disclosure
NVD GitHub
CVSS 3.0
5.3
EPSS
0.6%
CVE-2014-9634 Maven MEDIUM PATCH This Month

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Jenkins Information Disclosure
NVD GitHub
CVSS 3.0
5.3
EPSS
0.7%
CVE-2017-1000362 Maven CRITICAL PATCH Act Now

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure
NVD
CVSS 3.0
9.8
EPSS
1.2%
CVE-2016-4988 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Jenkins Build Failure Analyzer
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2016-4987 Maven MEDIUM PATCH This Month

Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Jenkins Image Gallery
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2016-4986 Maven HIGH PATCH This Week

Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Jenkins Tap
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2016-3102 Maven HIGH PATCH This Week

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Jenkins Script Security
NVD
CVSS 3.0
7.3
EPSS
0.1%
CVE-2016-3101 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Jenkins Extra Columns
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2016-9299 Maven CRITICAL POC PATCH THREAT Act Now

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 89.2%.

Code Injection RCE Java Jenkins LDAP +1
NVD Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
89.2%
Threat
6.1
CVE-2016-3727 Maven MEDIUM PATCH This Month

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Openshift
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2016-3726 Maven HIGH PATCH This Week

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Jenkins Openshift
NVD
CVSS 3.0
7.4
EPSS
0.1%
CVE-2016-3725 Maven MEDIUM PATCH This Month

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Jenkins Denial Of Service Privilege Escalation Openshift
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2016-3724 Maven MEDIUM PATCH This Month

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Openshift
NVD
CVSS 3.0
6.5
EPSS
0.3%
EPSS 3% CVSS 8.1
HIGH PATCH This Week

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Java Jenkins Path Traversal +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Black Duck Detect Plugin 1.4.0 and older in DetectPostBuildStepDescriptor.java that allows attackers with Overall/Read access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Kubernetes Jenkins +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins SSRF +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS S3 Publisher
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Path Traversal +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Java Jenkins +2
NVD
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Jenkins Java +3
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java CSRF Jenkins +2
NVD
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java,. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +2
NVD
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Reverse Proxy Auth
NVD
EPSS 1% CVSS 5.6
MEDIUM PATCH This Month

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java,. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An exposure of sensitive information vulnerability exists in Jenkins Copy To Slave Plugin version 1.4.4 and older in CopyToSlaveBuildWrapper.java that allows attackers with permission to configure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with insufficient permission to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins RCE Liquibase Runner
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XSS Cucumber Living Documentation
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 7% CVSS 8.0
HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Jenkins Mailer
NVD Exploit-DB
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Testlink
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Authentication Bypass Jenkins +2
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XSS Cppncss
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Jenkins +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD
EPSS 4% CVSS 6.5
MEDIUM PATCH This Month

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Microsoft Jenkins Path Traversal +1
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Communications Cloud Native Core Automated Test Suite
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Jenkins SSRF Communications Cloud Native Core Automated Test Suite
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Deserialization +2
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Credentials Binding
NVD
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Jenkins XXE +2
NVD
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Pipeline Nodes And Processes
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Translation Assistance
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Release
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Jenkins
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Favorite
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Jenkins Favorite Plugin
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Git Client
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

XSS Jenkins Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Deploy to container Plugin stored passwords unencrypted as part of its configuration. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Deploy
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Jenkins Blue Ocean
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Jenkins Blue Ocean
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Jenkins Privilege Escalation Config File Provider
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE Jenkins Pipeline
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Poll Scm
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Git Plugin connects to a user-specified Git repository as part of form validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Git
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Github Branch Source
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Role Based Authorization Strategy
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Jenkins Privilege Escalation Pipeline
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Jenkins Subversion
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Jenkins Privilege Escalation Parameterized Trigger
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Jenkins Information Disclosure
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Jenkins Information Disclosure
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Jenkins Build Failure Analyzer
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Jenkins Image Gallery
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Jenkins Tap
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Jenkins Script Security
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Jenkins Extra Columns
NVD
EPSS 89% 6.1 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 89.2%.

Code Injection RCE Java +3
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Openshift
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Jenkins Openshift
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Jenkins Denial Of Service Privilege Escalation +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Openshift
NVD
Prev Page 18 of 19 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy