Filtered by vendor Jenkins
Subscriptions
Total
1743 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2025-04-30 | 9.8 Critical |
| Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-38666 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-04-30 | 7.5 High |
| Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. | ||||
| CVE-2022-45381 | 2 Jenkins, Redhat | 2 Pipeline Utility Steps, Openshift | 2025-04-30 | 8.1 High |
| Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. | ||||
| CVE-2022-45380 | 2 Jenkins, Redhat | 2 Junit, Openshift | 2025-04-30 | 5.4 Medium |
| Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-45383 | 1 Jenkins | 1 Support Core | 2025-04-30 | 6.5 Medium |
| An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. | ||||
| CVE-2022-45382 | 1 Jenkins | 1 Naginator | 2025-04-30 | 5.4 Medium |
| Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. | ||||
| CVE-2025-31720 | 1 Jenkins | 1 Jenkins | 2025-04-29 | 4.3 Medium |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. | ||||
| CVE-2025-31721 | 1 Jenkins | 1 Jenkins | 2025-04-29 | 4.3 Medium |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. | ||||
| CVE-2025-31722 | 1 Jenkins | 1 Templating Engine | 2025-04-29 | 8.8 High |
| In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-46688 | 1 Jenkins | 1 Sonar Gerrit | 2025-04-23 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | ||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2025-04-23 | 5.4 Medium |
| Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. | ||||
| CVE-2022-46686 | 1 Jenkins | 1 Custom Build Properties | 2025-04-23 | 5.4 Medium |
| Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. | ||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2025-04-23 | 5.4 Medium |
| Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-46683 | 1 Jenkins | 1 Google Login | 2025-04-23 | 6.1 Medium |
| Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | ||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | 9.8 Critical |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2017-1000106 | 1 Jenkins | 1 Blue Ocean | 2025-04-20 | N/A |
| Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name. | ||||
| CVE-2017-1000104 | 1 Jenkins | 1 Config File Provider | 2025-04-20 | N/A |
| The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files. | ||||
| CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2025-04-20 | N/A |
| The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | ||||
| CVE-2017-1000093 | 1 Jenkins | 1 Poll Scm | 2025-04-20 | N/A |
| Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. | ||||
| CVE-2017-1000243 | 1 Jenkins | 1 Favorite Plugin | 2025-04-20 | N/A |
| Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites | ||||