Filtered by vendor Jenkins
Subscribe
Total
1621 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31720 | 1 Jenkins | 1 Jenkins | 2025-04-29 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. | |||||
| CVE-2025-31721 | 1 Jenkins | 1 Jenkins | 2025-04-29 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. | |||||
| CVE-2025-31722 | 1 Jenkins | 1 Templating Engine | 2025-04-29 | N/A | 8.8 HIGH |
| In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. | |||||
| CVE-2022-46688 | 1 Jenkins | 1 Sonar Gerrit | 2025-04-23 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | |||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2025-04-23 | N/A | 5.4 MEDIUM |
| Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. | |||||
| CVE-2022-46686 | 1 Jenkins | 1 Custom Build Properties | 2025-04-23 | N/A | 5.4 MEDIUM |
| Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. | |||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2025-04-23 | N/A | 5.4 MEDIUM |
| Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-46683 | 1 Jenkins | 1 Google Login | 2025-04-23 | N/A | 6.1 MEDIUM |
| Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | |||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | N/A | 9.8 CRITICAL |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2016-3102 | 1 Jenkins | 1 Script Security | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
| The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations. | |||||
| CVE-2017-1000103 | 1 Jenkins | 1 Dry | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. | |||||
| CVE-2017-1000102 | 1 Jenkins | 1 Static Analysis Utilities | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view. | |||||
| CVE-2017-1000113 | 1 Jenkins | 1 Deploy | 2025-04-20 | 2.1 LOW | 5.5 MEDIUM |
| The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords. | |||||
| CVE-2017-1000094 | 1 Jenkins | 1 Docker Commons | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. | |||||
| CVE-2016-3101 | 1 Jenkins | 1 Extra Columns | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter. | |||||
| CVE-2017-1000108 | 1 Jenkins | 1 Pipeline-input-step | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead. | |||||
| CVE-2017-1000096 | 1 Jenkins | 1 Pipeline\ | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. | |||||
| CVE-2017-17383 | 1 Jenkins | 1 Jenkins | 2025-04-20 | 3.5 LOW | 4.7 MEDIUM |
| Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. | |||||
| CVE-2017-1000090 | 1 Jenkins | 1 Role-based Authorization Strategy | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. | |||||
| CVE-2017-1000110 | 1 Jenkins | 1 Blue Ocean | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean. | |||||