Filtered by vendor Jenkins
Subscribe
Total
1775 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27624 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets). | |||||
| CVE-2025-27623 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets. | |||||
| CVE-2025-27622 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. | |||||
| CVE-2025-24403 | 1 Jenkins | 1 Azure Service Fabric | 2026-06-17 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. | |||||
| CVE-2025-24402 | 1 Jenkins | 1 Azure Service Fabric | 2026-06-17 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. | |||||
| CVE-2025-24401 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2026-06-17 | N/A | 6.8 MEDIUM |
| Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | |||||
| CVE-2025-24400 | 1 Jenkins | 1 Eiffel Broadcaster | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | |||||
| CVE-2025-24399 | 1 Jenkins | 1 Openid Connect Authentication | 2026-06-17 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. | |||||
| CVE-2025-24398 | 1 Jenkins | 1 Bitbucket Server Integration | 2026-06-17 | N/A | 8.8 HIGH |
| Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | |||||
| CVE-2025-24397 | 1 Jenkins | 1 Gitlab | 2026-06-17 | N/A | 4.3 MEDIUM |
| An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | |||||
| CVE-2024-9453 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Developer Tools And Services | 2026-06-17 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information. | |||||
| CVE-2024-5273 | 1 Jenkins | 1 Report Info | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path. | |||||
| CVE-2024-54004 | 1 Jenkins | 1 Filesystem List Parameter | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. | |||||
| CVE-2024-54003 | 1 Jenkins | 1 Simple Queue | 2026-06-17 | N/A | 8.0 HIGH |
| Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. | |||||
| CVE-2024-52554 | 1 Jenkins | 1 Shared Library Version Override | 2026-06-17 | N/A | 8.8 HIGH |
| Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. | |||||
| CVE-2024-52553 | 1 Jenkins | 1 Openid Connect Authentication | 2026-06-17 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | |||||
| CVE-2024-52552 | 1 Jenkins | 1 Authorize Project | 2026-06-17 | N/A | 8.0 HIGH |
| Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2024-52551 | 1 Jenkins | 1 Pipeline\ | 2026-06-17 | N/A | 8.0 HIGH |
| Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. | |||||
| CVE-2024-52550 | 1 Jenkins | 1 Pipeline\ | 2026-06-17 | N/A | 8.0 HIGH |
| Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. | |||||
| CVE-2024-52549 | 1 Jenkins | 1 Script Security | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. | |||||