Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•11 views

AWS Secret Key stored and displayed in plain text by statistics-gatherer

statistics-gatherer 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins...

6.5CVSS5.9AI score0.00354EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•11 views

Script security sandbox bypass vulnerability in shared-library-version-override

shared-library-version-override 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs...

8.8CVSS5.2AI score0.00518EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•11 views

Stored XSS vulnerability in authorize-project

authorize-project 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. authorize-project 1.8.0 no longer evaluates a string...

8CVSS4.9AI score0.00668EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/10/02 12:0 a.m.•11 views

Exposure of multi-line secrets through error messages in Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line...

4.3CVSS5.9AI score0.00822EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•11 views

Missing permission checks in jenkinsci-appspider-plugin

jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...

4.3CVSS5.2AI score0.0045EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•11 views

Non-constant time webhook token comparison in gitlab-branch-source

gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-branch-source...

5.3CVSS5.6AI score0.005EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/08/16 12:0 a.m.•11 views

Improper masking of credentials in nodejs

nodejs integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. nodejs 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in...

7.5CVSS7.3AI score0.0053EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/12/07 12:0 a.m.•11 views

Stored XSS vulnerability in checkmarx

checkmarx processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI. checkmarx 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site...

7.5CVSS5.3AI score0.00456EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/09/21 12:0 a.m.•11 views

Missing permission check in build-publisher

build-publisher 1.22 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins...

4.3CVSS5AI score0.00516EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/04/12 12:0 a.m.•11 views

Promotion names in promoted-builds are not validated when using Job DSL

promoted-builds provides dedicated support for defining promotions using Job DSL Plugin. promoted-builds 873.v6149dbd64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a...

8CVSS5.3AI score0.00784EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/01/12 12:0 a.m.•11 views

CSRF vulnerability and missing permission checks in mailer

mailer 391.ve4a38c1bcf4b and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Additionally, this form validation method does n...

4.3CVSS6AI score0.0111EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/12/17 12:0 a.m.•11 views

CSRF vulnerability in mantis

mantis 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials. As of publication of this advisory...

4.3CVSS5.2AI score0.00679EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/10/23 12:0 a.m.•11 views

sonar-gerrit stored credentials in plain text

sonar-gerrit stores a credential unencrypted in job config.xml files on the Jenkins controller if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...

6.5CVSS6.4AI score0.00852EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/30 12:0 a.m.•11 views

sitemonitor globally and unconditionally disables SSL/TLS certificate validation

sitemonitor unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. sitemonitor no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually...

6.5CVSS6AI score0.01458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/06 12:0 a.m.•11 views

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin

Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as...

6.5CVSS6.5AI score0.01277EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/06 12:0 a.m.•11 views

Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin

A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password. Additionally, this form validation...

4.3CVSS5.5AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/02/19 12:0 a.m.•11 views

Acunetix Plugin stored API key in plain text

Acunetix Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin...

3.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/09/25 12:0 a.m.•11 views

Stored XSS vulnerability in Git Changelog Plugin

Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting XSS vulnerability exploitable by users with commit access to specific Git repositories. Git Changelog Plugin 2.7 and newer escape Git commit messages shown on th...

6.1CVSS5.9AI score0.00993EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/05/09 12:0 a.m.•11 views

Gitlab Hook Plugin stores and displays GitLab API token in plain text

Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to user...

6.5CVSS6.1AI score0.01176EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/26 12:0 a.m.•11 views

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions: - Configure Gerrit servers - Connect and disconnect configured Gerrit servers The missing permission checks have been added...

5.5CVSS5.6AI score0.00908EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•11 views

SECURITY-695

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•11 views

SECURITY-675

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•11 views

SECURITY-656

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•11 views

SECURITY-657

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/05/27 12:0 a.m.•10 views

Arbitrary file read vulnerability in email-ext

email-ext 1933.v45cec755423f and earlier includes a feature that allows inlining images as base64 in email content by setting the data-inline attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify file: URLs...

8.8CVSS5.4AI score0.00299EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/04/29 12:0 a.m.•10 views

XSS vulnerability in legacy wrapper file in htmlpublisher

htmlpublisher 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 427.1 escapes job name and URL when generating the legacy wrapper file...

8CVSS5.4AI score0.00281EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•10 views

Stored XSS vulnerability in coverage

coverage uses coverage results IDs to create the links to coverage results on the Jenkins UI. coverage 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI. This allows...

8CVSS4.9AI score0.00262EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•10 views

CSRF vulnerability and missing permission check in publish-to-bitbucket

publish-to-bitbucket 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

5.4CVSS5.1AI score0.00222EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•10 views

CSRF vulnerability and missing permission check in themis

themis 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...

4.3CVSS5.1AI score0.00269EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•10 views

API Keys stored in plain text by curseforge-publisher

curseforge-publisher 1.0 and earlier stores API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...

4.3CVSS5.3AI score0.00237EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/09/17 12:0 a.m.•10 views

Missing permission check allows obtaining agent names

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget...

5.3CVSS7.7AI score0.04735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/09/03 12:0 a.m.•10 views

Missing permission checks in global-build-stats allow enumerating graph IDs

global-build-stats 322.v22f4db18e2dd and earlier does not perform permission checks in its REST API endpoints. This allows attackers with Overall/Read permission to enumerate graph IDs. These IDs can be used to access those graphs. global-build-stats 347.v32aeb0493c4f requires Overall/Administer...

4.3CVSS5.2AI score0.00258EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•10 views

Token stored and displayed in plain text by sensedia-api-platform

sensedia-api-platform 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

6.5CVSS5.9AI score0.00252EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•10 views

XXE vulnerability in ivytrigger

ivytrigger 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of...

8.2CVSS7.5AI score0.01855EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•10 views

CSRF vulnerability and missing permission checks in svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...

4.3CVSS5.1AI score0.00495EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•10 views

DoS vulnerability in analysis-model-api

analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...

7.5CVSS6.3AI score0.01449EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/09/06 12:0 a.m.•10 views

CSRF vulnerability and missing permission check in aws-codecommit-trigger

aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...

6.5CVSS5.4AI score0.00533EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/07/12 12:0 a.m.•10 views

Arbitrary file read vulnerability in mathworks-polyspace

mathworks-polyspace 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step. This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system. As of publication of this advisory,...

6.5CVSS6.5AI score0.00955EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/07/12 12:0 a.m.•10 views

XXE vulnerability in external-monitor-job

external-monitor-job 206.v9a94ff0b4a10 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from t...

7.1CVSS6.6AI score0.00507EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/05/16 12:0 a.m.•10 views

CSRF vulnerability in ldap

ldap 673.v034ec70ec2bb and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. ldap...

4.3CVSS5AI score0.003EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/03/21 12:0 a.m.•10 views

Command injection vulnerability in convert-to-pipeline results in RCE

convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...

9.8CVSS7.3AI score0.00779EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/02/15 12:0 a.m.•10 views

XSS vulnerability in bundled email templates in email-ext

email-ext bundled multiple preconfigured templates for notification emails. The Email Template Testing feature can be used to see what these and other templates would look like based on a given build. email-ext 2.93 and earlier does not escape various fields included in those email templates, lik...

8CVSS5.4AI score0.00602EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/02/09 12:0 a.m.•10 views

Git releases with critical vulnerabilities on Jenkins Docker images

The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories. Git releases published before 2023-01-17 are affected by the vulnerabilities...

9.8CVSS9.1AI score0.56334EPSS
Exploits0
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/11/15 12:0 a.m.•10 views

SSL/TLS certificate validation globally and unconditionally disabled by cavisson-ns-nd-integration

cavisson-ns-nd-integration 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. cavisson-ns-nd-integration 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally...

7.5CVSS7.2AI score0.00396EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/10/19 12:0 a.m.•10 views

Webhook endpoint discloses job names to unauthorized users in mercurial

mercurial provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET reques...

5.3CVSS5.5AI score0.00655EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/09/21 12:0 a.m.•10 views

Missing hostname validation in smalltest

smalltest 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce...

8.1CVSS7.6AI score0.00539EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/07/27 12:0 a.m.•10 views

Missing permission checks in compuware-scm-downloader

compuware-scm-downloader 2.0.12 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...

6.5CVSS6.4AI score0.00605EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2022/03/29 12:0 a.m.•10 views

Password stored in plain text by proxmox

proxmox 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. proxmox 0.6.0 stores the Proxmox Datacenter...

6.5CVSS6.4AI score0.00887EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2021/11/04 12:0 a.m.•10 views

Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers...

9.8CVSS8.7AI score0.0232EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2021/05/25 12:0 a.m.•10 views

XXE vulnerability in nuget

nuget 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This XML parser is used for the "Build on NuGet updates" feature. This allows attackers with the ability to control the contents of the packages.config file in a workspace to have Jenkins parse a...

9.1CVSS8.4AI score0.01536EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464