Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/08/07 12:0 a.m.โ€ข11 views

Stored XSS vulnerability in build-pipeline-plugin

build-pipeline-plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...

5.4CVSS5.3AI score0.00735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/07/11 12:0 a.m.โ€ข11 views

port-allocator stores credentials in plain text

port-allocator stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

8.8CVSS5.6AI score0.01668EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/30 12:0 a.m.โ€ข11 views

sitemonitor globally and unconditionally disables SSL/TLS certificate validation

sitemonitor unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. sitemonitor no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually...

6.5CVSS6AI score0.01458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/04/03 12:0 a.m.โ€ข11 views

zap stores credentials in plain text

zap stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/25 12:0 a.m.โ€ข11 views

XSS vulnerability in Lockable Resources Plugin

Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting XSS vulnerability. The plugin now properly escapes resource names in its scripts...

5.4CVSS6AI score0.01397EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/06 12:0 a.m.โ€ข11 views

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin

Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as...

6.5CVSS6.5AI score0.01277EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/06 12:0 a.m.โ€ข11 views

Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin

A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password. Additionally, this form validation...

4.3CVSS5.5AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/06 12:0 a.m.โ€ข11 views

Rabbit-MQ Publisher Plugin stored password in plain text

Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the...

3.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/03/06 12:0 a.m.โ€ข11 views

SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud

A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as...

4.3CVSS5.5AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/02/19 12:0 a.m.โ€ข11 views

Acunetix Plugin stored API key in plain text

Acunetix Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin...

3.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2019/01/28 12:0 a.m.โ€ข11 views

GitHub Authentication Plugin showed plain text client secret in configuration form

GitHub Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret...

4.3CVSS4.7AI score0.01131EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/09/25 12:0 a.m.โ€ข11 views

Stored XSS vulnerability in Git Changelog Plugin

Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting XSS vulnerability exploitable by users with commit access to specific Git repositories. Git Changelog Plugin 2.7 and newer escape Git commit messages shown on th...

6.1CVSS5.9AI score0.00993EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/07/30 12:0 a.m.โ€ข11 views

SSH Agent Plugin could reveal SSH key passphrase when used inside pipeline

When using the sshagent step inside a withDockerContainer block in Pipeline, the resulting logging of the ssh-add command included the SSH key passphrase in plain text. The plugin no longer logs the ssh-add invocation that would reveal the passphrase...

6.5CVSS5.9AI score0.01374EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/06/25 12:0 a.m.โ€ข11 views

Arbitrary file read vulnerability in SSH Credentials Plugin with Credentials Binding Plugin

SSH Credentials Plugin allowed the creation of SSH credentials with keys "From a file on Jenkins controller". Credentials Binding Plugin 1.13 and newer allows binding SSH credentials to environment variables. In combination, these two features allow users with the permission to configure a job to...

6.5CVSS6.5AI score0.01013EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/05/09 12:0 a.m.โ€ข11 views

Gitlab Hook Plugin stores and displays GitLab API token in plain text

Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials. Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to user...

6.5CVSS6.1AI score0.01176EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/03/26 12:0 a.m.โ€ข11 views

Perforce Plugin credentials can be obtained by users with Job/Extended Read permission

Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations. Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins,...

6.5CVSS6.3AI score0.00858EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/02/26 12:0 a.m.โ€ข11 views

Environment Injector Plugin before 1.91 stored sensitive build variables

EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 released on Mar 08, 2015 however did not exempt sensitive variables...

3.1CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/02/26 12:0 a.m.โ€ข11 views

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions: - Configure Gerrit servers - Connect and disconnect configured Gerrit servers The missing permission checks have been added...

5.5CVSS5.6AI score0.00908EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/02/05 12:0 a.m.โ€ข11 views

SECURITY-659

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2018/02/05 12:0 a.m.โ€ข11 views

SECURITY-521

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข10 views

Missing permission checks allow obtaining limited user profile information

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform permission checks in HTTP endpoints. This allows attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". Jenkins 2.568, LTS 2.555.3 performs...

4.3CVSS5.2AI score0.00234EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข10 views

Path traversal vulnerability in credentials-binding

credentials-binding 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged us...

7.5CVSS5.5AI score0.00364EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข10 views

Missing permission check in jenkinsci-appspider-plugin allows sending requests

jenkinsci-appspider-plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. jenkinsci-appspider-plugin 1.0.18 requires Overall/Administer permission to use t...

4.3CVSS5.2AI score0.00187EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข10 views

CSRF vulnerability in github-pullrequest

github-pullrequest 0.7.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trigger a build for a pull request. github-pullrequest 0.7.4 requires POST requests for the affected HTTP...

4.3CVSS5.2AI score0.00109EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข10 views

Stored XSS vulnerability in buildgraph-view

buildgraph-view 1.8 and earlier does not escape the build URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views. As of publication of this advisory, there is no fix. Learn why we announce this...

8CVSS4.9AI score0.00176EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข10 views

Unsafe deserialization allows invoking parameterless constructors in matrix-auth

matrix-auth 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to...

6.5CVSS5.3AI score0.00246EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข10 views

Missing permission check in github-branch-source allows performing a connection test

github-branch-source 1967.vdead580c1aba and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. github-branch-source...

4.3CVSS5.2AI score0.00184EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข10 views

XSS vulnerability in legacy wrapper file in htmlpublisher

htmlpublisher 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 427.1 escapes job name and URL when generating the legacy wrapper file...

8CVSS5.4AI score0.00281EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข10 views

Path traversal vulnerability in credentials-binding

credentials-binding 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to...

7.5CVSS5.9AI score0.00411EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/12/10 12:0 a.m.โ€ข10 views

Stored XSS vulnerability in coverage

coverage uses coverage results IDs to create the links to coverage results on the Jenkins UI. coverage 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI. This allows...

8CVSS4.9AI score0.00262EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/12/10 12:0 a.m.โ€ข10 views

Missing permission check in BlazeMeterJenkinsPlugin allows enumerating credentials IDs

BlazeMeterJenkinsPlugin 4.26 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

5.3CVSS5.2AI score0.00218EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/10/29 12:0 a.m.โ€ข10 views

API Keys stored in plain text by curseforge-publisher

curseforge-publisher 1.0 and earlier stores API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...

4.3CVSS5.3AI score0.00237EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/10/29 12:0 a.m.โ€ข10 views

CSRF vulnerability and missing permission check in publish-to-bitbucket

publish-to-bitbucket 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

5.4CVSS5.1AI score0.00222EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/09/17 12:0 a.m.โ€ข10 views

Missing permission check allows obtaining agent names

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget...

5.3CVSS7.7AI score0.04735EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/09/03 12:0 a.m.โ€ข10 views

SMTP command injection vulnerability in jakarta-mail-api

jakarta-mail-api 2.1.3-2 and earlier bundles versions of Angus Mail vulnerable to https://vulners.com/cve/CVE-2025-7962CVE-2025-7962. This allows attackers able to control recipient email addresses of emails sent by Jenkins to send emails with arbitrary contents to arbitrary recipients...

7.5CVSS6.4AI score0.00756EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/07/09 12:0 a.m.โ€ข10 views

Token stored and displayed in plain text by sensedia-api-platform

sensedia-api-platform 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

6.5CVSS5.9AI score0.00252EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/03/05 12:0 a.m.โ€ข10 views

Encrypted values of secrets stored in view configuration revealed to users with View/Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the 2016-05-11...

4.3CVSS6AI score0.00317EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2025/01/22 12:0 a.m.โ€ข10 views

Tokens displayed without masking by zoom

zoom requires Zoom integration tokens for Zoom Build Notifier post-build actions. In zoom 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. zoom 1.6 masks Zoom integration tokens displayed on the job...

3.1CVSS5.2AI score0.00167EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/06/26 12:0 a.m.โ€ข10 views

Bitbucket OAuth access token exposed in the build log by cloudbees-bitbucket-branch-source

cloudbees-bitbucket-branch-source 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. cloudbees-bitbucket-branch-source 887.vad359b3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL i...

4.3CVSS5AI score0.00489EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/03/06 12:0 a.m.โ€ข10 views

CSRF vulnerability and missing permission checks in svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...

4.3CVSS5.1AI score0.00495EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2024/01/24 12:0 a.m.โ€ข10 views

Arbitrary file read vulnerability through the CLI can lead to RCE

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature...

9.8CVSS8.7AI score0.99999EPSS
Exploits46Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/12/13 12:0 a.m.โ€ข10 views

DoS vulnerability in analysis-model-api

analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...

7.5CVSS6.3AI score0.01449EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/09/06 12:0 a.m.โ€ข10 views

CSRF vulnerability and missing permission check in aws-codecommit-trigger

aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to clear the SQS queue. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...

6.5CVSS5.4AI score0.00533EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/07/12 12:0 a.m.โ€ข10 views

XXE vulnerability in external-monitor-job

external-monitor-job 206.v9a94ff0b4a10 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from t...

7.1CVSS6.6AI score0.00507EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/05/16 12:0 a.m.โ€ข10 views

Stored XSS vulnerability in workflow-job

workflow-job 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set build display...

7.5CVSS5.3AI score0.00586EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/05/16 12:0 a.m.โ€ข10 views

Path traversal vulnerability in sidebar-link

sidebar-link allows specifying files in the userContent/ directory for use as link icons. sidebar-link 2.2.1 and earlier does not restrict the path of files in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an...

4.3CVSS5AI score0.72358EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/05/16 12:0 a.m.โ€ข10 views

Missing hostname validation in miniorange-saml-sp

miniorange-saml-sp 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. miniorange-saml-sp 2.1.0 performs...

4.8CVSS5.2AI score0.00209EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/04/12 12:0 a.m.โ€ข10 views

Disabled SSL/TLS certificate validation for existing configurations in image-tag-parameter

image-tag-parameter 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries. Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default. As of publication of...

6.5CVSS6AI score0.00458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/03/21 12:0 a.m.โ€ข10 views

Command injection vulnerability in convert-to-pipeline results in RCE

convert-to-pipeline 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that...

9.8CVSS7.3AI score0.00779EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2023/02/15 12:0 a.m.โ€ข10 views

Missing permission checks in azure-credentials allow enumerating credentials IDs

azure-credentials 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...

4.3CVSS5.1AI score0.00511EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464