au.com.versent.jenkins.plugins:ignore-committer-strategy (>=37.v0d3157c4a_ef8 <=57.v0756db_b_f6926), com.coravy.hudson.plugins.github:github (>=1.41.0 <=1.46.0.1) +37 more potentially affected by CVE-2025-67640 via org.jenkins-ci.plugins:git-client (>=6.1.0 <=6.4.0)

org.jenkins-ci.plugins:git-client MAVEN version =6.1.0, =37.v0d3157c4aef8, =1.41.0, =61.vf6d8f6f5ed02, =1.1.0.825.v30618768da42, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =3.2083.vd36f32376929, =530.v38d502df428f, =634.v371dc6d978a3, =679.v74133dab435a and more...

Malicious code in BlueOcean (npm)

The package BlueOcean was found to contain malicious code...

MAL-2025-15889 Malicious code in BlueOcean (npm)

The package BlueOcean was found to contain malicious code...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), io.jenkins.blueocean:blueocean (>=1.27.17 <=1.27.25) +8 more potentially affected by CVE-2025-53651 via org.jenkins-ci.plugins:htmlpublisher (>=1.0 <=1.6)

org.jenkins-ci.plugins:htmlpublisher MAVEN version =1.0, =1.9.2-beta, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =1.0.18 Source cves: CVE-2025-53651 Source advisory: OSV:GHSA-367V-5PPJ-2HRX...

CVE-2023-40341

A flaw was found in the blueocean Jenkins plugin. Affected versions of this plugin allow attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job...

com.amadeus.jenkins.plugins:workflow-cps-global-lib-http (>=2.33.0 <=2.54.0), com.compuware.jenkins:compuware-scm-downloader (>=1.6 <=2.0.5) +105 more potentially affected by CVE-2023-40338 via org.jenkins-ci.plugins:cloudbees-folder (>=4.0 <=6.815.v0dd5a_cb_40e0e)

org.jenkins-ci.plugins:cloudbees-folder MAVEN version =4.0, =2.33.0, =1.6, =1.8, =1.0.2, =1.0.0, =2.0.0, =0.4, =1.0, =7.5.7, =0.9.1, =1.0-alpha-1, =1.27.19, =1.27.25 and more Source cves: CVE-2023-40338 Source advisory: OSV:GHSA-36HQ-V2FC-RPQP...

io.jenkins.blueocean:blueocean-pipeline-scm-api (>=1.27.4 <=1.27.5.1), io.jenkins.plugins:code-coverage-api (>=4.2.0 <=4.7.0) +12 more potentially affected by CVE-2023-32977 via org.jenkins-ci.plugins.workflow:workflow-job (>=0.1-beta-1 <=1292.v27d8cc3e2602)

org.jenkins-ci.plugins.workflow:workflow-job MAVEN version =0.1-beta-1, =1.27.4, =4.2.0, =1.17.vd2468d9c5e85, =0.1-beta-1, =1.14, =1.16.4 - org.jenkins-ci.plugins:gradle =2.12.0.1 - org.jenkins-ci.plugins:inline-pipeline =1.0.3 Source cves: CVE-2023-32977 Source advisory: OSV:GHSA-2WVV-PHHW-QVMC...

blueocean-adventure.co.uk Cross Site Scripting vulnerability OBB-2711624

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

com.nirima:docker-plugin (>=0.17 <=1.0.4), com.testinium.jenkins:testinium (=1.0) +37 more potentially affected by CVE-2019-1010241 via org.jenkins-ci.plugins:credentials-binding (>=1.10 <=1.16)

org.jenkins-ci.plugins:credentials-binding MAVEN version =1.10, =0.17, =1.0.43, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.1-preview-1, =1.2.7, =0.1.0, =0.1.1, =0.4.2 and more Source cves: CVE-2019-1010241 Source advisory: SNYK:JAVA-ORGJENKINSCIPLUGINS-9402853...

io.jenkins.blueocean:blueocean (>=1.1.0 <=1.1.7), io.jenkins.blueocean:blueocean-events (>=1.1.0 <=1.1.7) +3 more potentially affected by CVE-2022-30952 via io.jenkins.blueocean:blueocean-pipeline-scm-api (>=1.1.0-beta-4 <=1.1.7)

io.jenkins.blueocean:blueocean-pipeline-scm-api MAVEN version =1.1.0-beta-4, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.7 Source cves: CVE-2022-30952 Source advisory: OSV:GHSA-G74W-93CP-5P3P...

CVE-2022-30952

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins...

com.base2services.jenkins:github-sqs-plugin (>=1.0 <=1.1), com.elasticbox.jenkins-ci.plugins:elasticbox (>=4.0.9 <=4.1.6) +23 more potentially affected by CVE-2018-1000183 via com.coravy.hudson.plugins.github:github (>=1.10 <=1.27.0)

com.coravy.hudson.plugins.github:github MAVEN version =1.10, =1.0, =4.0.9, =1.0-alpha-1, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-4, =1.0-alpha-1, =1.3.0, =1.0, =0.9.14, =1.36.0, =1.42.2 and more Source cves: CVE-2018-1000183 Source advisory:...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), com.mig82:folder-properties (>=57.vde5161ec7a_b_a_ <=61.vc6d404b_75d60) +55 more potentially affected by CVE-2018-1000015 via org.jenkins-ci.plugins.workflow:workflow-durable-task-step (>=0.1-beta-1 <=2.14)

org.jenkins-ci.plugins.workflow:workflow-durable-task-step MAVEN version =0.1-beta-1, =1.9.2-beta, =57.vde5161ec7aba, =1.3.0, =1.1.0.825.v30618768da42, =1.0-alpha-2, =1.27.17, =1.0-alpha-2, =1.0-alpha-2, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.2.0, =1.0-alpha-2, =28.v4f731c96b5f9,...

io.jenkins.blueocean:blueocean (>=1.0-alpha-1 <=1.27.25), io.jenkins.blueocean:blueocean-bitbucket-pipeline (>=1.27.17 <=1.27.25) +10 more potentially affected by CVE-2017-1000243 via org.jvnet.hudson.plugins:favorite (>=1.16 <=2.225.v68765b_b_a_1fa_3)

org.jvnet.hudson.plugins:favorite MAVEN version =1.16, =1.0-alpha-1, =1.27.17, =1.0.0, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-4, =1.0-alpha-1, =0.1, =1.0.0 Source cves: CVE-2017-1000243 Source advisory: OSV:GHSA-268V-2QQ7-84PF...

com.testinium.jenkins:testinium (=1.0), io.fabric8.jenkins.plugins:openshift-sync (>=0.9.1 <=1.0.45) +34 more potentially affected by CVE-2022-25175 via org.jenkins-ci.plugins.workflow:workflow-multibranch (>=2.0 <=2.9.2)

org.jenkins-ci.plugins.workflow:workflow-multibranch MAVEN version =2.0, =0.9.1, =1.0-alpha-1, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-1, =1.1.0, =1.0-alpha-1, =2021.12.0, =2.2.0, =2.0, =2.5 and more Source cves: CVE-2022-25175 Source advisory:...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), com.qasymphony.ci.jenkins:qtest (>=1.3.0 <=1.4.6) +38 more potentially affected by CVE-2022-25183 via org.jenkins-ci.plugins.workflow:workflow-cps-global-lib (>=0.1-beta-5 <=2.7)

org.jenkins-ci.plugins.workflow:workflow-cps-global-lib MAVEN version =0.1-beta-5, =1.9.2-beta, =1.3.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.2.0, =1.0, =1.0, =1.0, =0.1-beta-5, =2.5 and more Source cves: CVE-2022-25183 Source advisory: OSV:GHSA-PFWP-Q984-W7WH...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), com.qasymphony.ci.jenkins:qtest (>=1.3.0 <=1.4.6) +38 more potentially affected by CVE-2022-25182 via org.jenkins-ci.plugins.workflow:workflow-cps-global-lib (>=0.1-beta-5 <=2.7)

org.jenkins-ci.plugins.workflow:workflow-cps-global-lib MAVEN version =0.1-beta-5, =1.9.2-beta, =1.3.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.2.0, =1.0, =1.0, =1.0, =0.1-beta-5, =2.5 and more Source cves: CVE-2022-25182 Source advisory: OSV:GHSA-7RCW-FWFH-2H2G...

com.nirima:docker-plugin (>=0.17 <=1.0.4), com.testinium.jenkins:testinium (=1.0) +39 more potentially affected by CVE-2022-20616 via org.jenkins-ci.plugins:credentials-binding (>=1.10 <=1.24)

org.jenkins-ci.plugins:credentials-binding MAVEN version =1.10, =0.17, =1.0.43, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.1-preview-1, =1.2.7, =0.1.0, =0.1.1, =0.4.2 and more Source cves: CVE-2022-20616 Source advisory: OSV:GHSA-GQM2-2GCX-P88W...

io.jenkins.blueocean:blueocean (>=1.0-alpha-1 <=1.2.0-beta-1), io.jenkins.blueocean:blueocean-analytics-tools (>=1.0-alpha-5 <=1.0-alpha-7) +20 more potentially affected by CVE-2022-20621 via org.jenkins-ci.plugins:metrics (>=3.0.0 <=3.1.2.9)

org.jenkins-ci.plugins:metrics MAVEN version =3.0.0, =1.0-alpha-1, =1.0-alpha-5, =1.0-alpha-8, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-1, =1.0-alpha-1, =1.0-alpha-1, =1.0-alpha-1, =1.2.2 - org.jenkins-ci.plugins:argus-notifier =1.0.0 and more...

Privilege Escalation

jenkins-2-plugins/blueocean is vulnerable to privilege escalation. The vulnerability exists as the Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests...