Skip to main content

Jenkins

1691 CVEs vendor

Monthly

CVE-2023-24434 Maven HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Github Pull Request Builder
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-24433 Maven MEDIUM PATCH This Month

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Authentication Bypass Orka By Macstadium
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-24432 Maven HIGH PATCH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Orka By Macstadium
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-24431 Maven MEDIUM PATCH This Month

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Authentication Bypass Orka By Macstadium
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-24430 Maven CRITICAL PATCH Act Now

Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Semantic Versioning
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-24429 Maven CRITICAL PATCH Act Now

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE SSRF Semantic Versioning
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-24428 Maven MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins CSRF Bitbucket Oauth
NVD
CVSS 3.1
5.7
EPSS
0.5%
CVE-2023-24427 Maven CRITICAL PATCH Act Now

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Bitbucket Oauth
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-24426 Maven HIGH This Week

Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Microsoft Azure Ad
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-24425 Maven MEDIUM PATCH This Month

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Jenkins Authentication Bypass Kubernetes Credentials Provider
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-24424 Maven HIGH PATCH This Week

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Openid Connect Authentication
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-24423 Maven MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Gerrit Trigger
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-24422 Maven HIGH PATCH This Week

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts,. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Jenkins Command Injection Script Security
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-46688 Maven MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Sonar Gerrit
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-46687 Maven MEDIUM PATCH This Month

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins XSS Spring Config
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-46686 Maven MEDIUM PATCH This Month

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Custom Build Properties
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-46685 Maven MEDIUM PATCH This Month

In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Gitea Jenkins
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-46684 Maven MEDIUM PATCH This Month

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Checkmarx
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-46683 Maven MEDIUM PATCH This Month

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Jenkins Open Redirect Google Login
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-46682 Maven CRITICAL PATCH Act Now

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Plot
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-45401 Maven MEDIUM This Month

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Associated Files
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-45400 Maven CRITICAL Act Now

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Japex
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-45399 Maven MEDIUM This Month

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Cluster Statistics
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-45398 Maven MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Cluster Statistics
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-45397 Maven CRITICAL Act Now

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Osf Builder Suite
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-45396 Maven CRITICAL Act Now

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Sourcemonitor
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-45395 Maven CRITICAL Act Now

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Cccc
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-45394 Maven MEDIUM This Month

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Delete Log
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-45393 Maven LOW Monitor

A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Jenkins Delete Log
NVD
CVSS 3.1
3.5
EPSS
0.4%
CVE-2022-45392 Maven MEDIUM PATCH This Month

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Ns Nd Integration Performance Publisher
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-45391 Maven HIGH PATCH This Week

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Ns Nd Integration Performance Publisher
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2022-45390 Maven MEDIUM This Month

A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Loader Io
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-45389 Maven MEDIUM This Month

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Xp Dev
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-45388 Maven HIGH This Week

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Jenkins Config Rotator
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-45387 Maven MEDIUM This Month

Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Bart
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-45386 Maven MEDIUM This Month

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Violations
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-45385 Maven HIGH PATCH This Week

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Jenkins Cloudbees Docker Hub Registry Notification
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-45384 Maven MEDIUM PATCH This Month

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Reverse Proxy Auth
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-45383 Maven MEDIUM PATCH This Month

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Support Core
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-45382 Maven MEDIUM PATCH This Month

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Naginator
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-45381 Maven HIGH PATCH This Week

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Jenkins Pipeline Utility Steps
NVD
CVSS 3.1
8.1
EPSS
1.3%
CVE-2022-45380 Maven MEDIUM PATCH This Month

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Junit
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-45379 Maven HIGH PATCH This Week

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Script Security
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-38666 Maven HIGH This Week

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Ns Nd Integration Performance Publisher
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2022-43435 Maven MEDIUM This Month

Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins 360 Fireline
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-43434 Maven MEDIUM PATCH This Month

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Neuvector Vulnerability Scanner
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-43433 Maven MEDIUM This Month

Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Screenrecorder
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-43432 Maven MEDIUM This Month

Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Xframium Builder
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-43431 Maven MEDIUM PATCH This Month

Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Compuware Strobe Measurement
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-43430 Maven HIGH PATCH This Week

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Compuware Topaz For Total Test
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-43429 Maven HIGH This Week

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Compuware Topaz For Total Test
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-43428 Maven MEDIUM PATCH This Month

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins Compuware Topaz For Total Test
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-43427 Maven MEDIUM PATCH This Month

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Compuware Topaz For Total Test
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-43426 Maven MEDIUM This Month

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins S3 Explorer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-43425 Maven MEDIUM This Month

Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Custom Checkbox Parameter
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2022-43424 Maven MEDIUM PATCH This Month

Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins Compuware Xpediter Code Coverage
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-43423 Maven MEDIUM PATCH This Month

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins Compuware Source Code Download For Endevor Pds And Ispw
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-43422 Maven MEDIUM PATCH This Month

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins Compuware Topaz Utilities
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-43421 Maven MEDIUM PATCH This Month

A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Tuleap Git Branch Source
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-43420 Maven MEDIUM PATCH This Month

Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Contrast Continuous Application Security
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-43419 Maven MEDIUM PATCH This Month

Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Katalon
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-43418 Maven MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Katalon
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-43417 Maven MEDIUM PATCH This Month

Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Katalon
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2022-43416 Maven HIGH PATCH This Week

Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Jenkins Katalon
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-43415 Maven HIGH PATCH This Week

Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Repo
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-43414 Maven MEDIUM PATCH This Month

Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Jenkins Nunit
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-43413 Maven MEDIUM PATCH This Month

Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Job Import
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-43412 Maven MEDIUM PATCH This Month

Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Generic Webhook Trigger
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-43411 Maven MEDIUM PATCH This Month

Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure Jenkins
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-43410 Maven MEDIUM PATCH This Month

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Mercurial
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-43409 Maven MEDIUM PATCH This Month

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Pipeline
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-43408 Maven MEDIUM PATCH This Month

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Pipeline
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-43407 Maven HIGH PATCH This Week

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Pipeline
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-43406 Maven CRITICAL PATCH Act Now

A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Groovy Libraries
NVD
CVSS 3.1
9.9
EPSS
1.1%
CVE-2022-43405 Maven CRITICAL PATCH Act Now

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Groovy Libraries
NVD
CVSS 3.1
9.9
EPSS
1.2%
CVE-2022-43404 Maven CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
CVSS 3.1
9.9
EPSS
1.1%
CVE-2022-43403 Maven CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
CVSS 3.1
9.9
EPSS
1.4%
CVE-2022-43402 Maven CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Pipeline
NVD
CVSS 3.1
9.9
EPSS
1.2%
CVE-2022-43401 Maven CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
CVSS 3.1
9.9
EPSS
1.2%
CVE-2022-41255 Maven MEDIUM This Month

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Cons3Rt
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-41254 Maven MEDIUM This Month

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Cons3Rt
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-41253 Maven HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Cons3Rt
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-41252 Maven MEDIUM This Month

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Cons3Rt
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-41251 Maven MEDIUM This Month

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Apprenda
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-41250 Maven MEDIUM This Month

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Scm Httpclient
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-41249 Maven HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Scm Httpclient
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-41248 Maven MEDIUM This Month

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Bigpanda Notifier
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2022-41247 Maven MEDIUM This Month

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Bigpanda Notifier
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-41246 Maven MEDIUM This Month

A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Worksoft Execution Manager
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-41245 Maven HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Worksoft Execution Manager
NVD
CVSS 3.1
8.8
EPSS
0.4%
EPSS 1% CVSS 8.8
HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Github Pull Request Builder
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Authentication Bypass Orka By Macstadium
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Orka By Macstadium
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Authentication Bypass Orka By Macstadium
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Semantic Versioning
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins CSRF Bitbucket Oauth
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Microsoft +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Jenkins Authentication Bypass +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Gerrit Trigger
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts,. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Jenkins Command Injection +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Sonar Gerrit
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins XSS +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Custom Build Properties
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Gitea Jenkins
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Checkmarx
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Jenkins Open Redirect +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Plot
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Associated Files
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Japex
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Cluster Statistics
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Cluster Statistics
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Osf Builder Suite
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Sourcemonitor
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Cccc
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Delete Log
NVD
EPSS 0% CVSS 3.5
LOW Monitor

A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Jenkins Delete Log
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Ns Nd Integration Performance Publisher
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Ns Nd Integration Performance Publisher
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Loader Io
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Xp Dev
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Jenkins Config Rotator
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Bart
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Violations
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Jenkins +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Reverse Proxy Auth
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Support Core
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Naginator
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Jenkins +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Junit
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Script Security
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Ns Nd Integration Performance Publisher
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins 360 Fireline
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Neuvector Vulnerability Scanner
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Screenrecorder
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Xframium Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Compuware Strobe Measurement
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Compuware Topaz For Total Test
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Compuware Topaz For Total Test
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Compuware Topaz For Total Test
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins S3 Explorer
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Custom Checkbox Parameter
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jenkins +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Tuleap Git Branch Source
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Contrast Continuous Application Security
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Katalon
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Katalon
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Katalon
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Jenkins +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Repo
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Jenkins +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Job Import
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Generic Webhook Trigger
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure Jenkins
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Mercurial
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Pipeline
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Pipeline
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Pipeline
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Groovy Libraries
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Groovy Libraries
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Pipeline
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Cons3Rt
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Cons3Rt
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Cons3Rt
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Cons3Rt
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Apprenda
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Scm Httpclient
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Scm Httpclient
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Bigpanda Notifier
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jenkins Bigpanda Notifier
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Worksoft Execution Manager
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Worksoft Execution Manager
NVD
Prev Page 6 of 19 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy