Jenkins Jenkins Jenkins CI / CD Server

Do you want an email whenever new security vulnerabilities are reported in any Jenkins product?

Products by Jenkins Sorted by Most Security Vulnerabilities since 2018

Jenkins82 vulnerabilities
Continuous Integration Engine

Jenkins Script Security19 vulnerabilities

Jenkins Pipeline8 vulnerabilities

Jenkins Active Directory6 vulnerabilities

Jenkins Amazon Ec26 vulnerabilities

Jenkins Electricflow6 vulnerabilities

Jenkins Config File Provider6 vulnerabilities

Jenkins Websphere Deployer5 vulnerabilities

Jenkins Kubernetes5 vulnerabilities

Jenkins Blue Ocean5 vulnerabilities

Jenkins Project Inheritance5 vulnerabilities

Jenkins Rundeck4 vulnerabilities

Jenkins Fortify On Demand4 vulnerabilities

Jenkins Gerrit Trigger4 vulnerabilities

Jenkins Rapiddeploy4 vulnerabilities

Jenkins Git4 vulnerabilities

Jenkins Credentials Binding4 vulnerabilities

Jenkins Liquibase Runner4 vulnerabilities

Jenkins Kubernetes Ci4 vulnerabilities

Jenkins Kmap3 vulnerabilities

Jenkins Active Choices3 vulnerabilities

Jenkins Subversion3 vulnerabilities

Jenkins Openshift Deployer3 vulnerabilities

Jenkins Ansible Tower3 vulnerabilities

Jenkins Libvirt Slaves3 vulnerabilities

Jenkins Maven3 vulnerabilities

Jenkins Audit To Database3 vulnerabilities

Jenkins Audit Trail3 vulnerabilities

Jenkins Support Core3 vulnerabilities

Jenkins Repository Connector3 vulnerabilities

Jenkins Email Extension3 vulnerabilities

Jenkins Azure Vm Agents3 vulnerabilities

Jenkins Icescrum3 vulnerabilities

Jenkins Ftp Publisher3 vulnerabilities

Jenkins Black Duck Hub3 vulnerabilities

Jenkins Mercurial3 vulnerabilities

Jenkins Matrix Project3 vulnerabilities

Jenkins Soasta Cloudtest3 vulnerabilities

Jenkins Team Concert3 vulnerabilities

Jenkins Github3 vulnerabilities

Jenkins Tracetronic Ecu Test3 vulnerabilities

Jenkins Warnings3 vulnerabilities

Jenkins Vsphere3 vulnerabilities

Jenkins Git Parameter3 vulnerabilities

Jenkins Job Import3 vulnerabilities

Jenkins Docker3 vulnerabilities

Jenkins Mac3 vulnerabilities

Jenkins Android Lint2 vulnerabilities

Jenkins Ansible2 vulnerabilities

Jenkins Jira2 vulnerabilities

Jenkins Promoted Builds2 vulnerabilities

Jenkins Aws Codedeploy2 vulnerabilities

Jenkins Octopusdeploy2 vulnerabilities

Jenkins Harvest Scm2 vulnerabilities

Jenkins Jx Resources2 vulnerabilities

Jenkins Koji2 vulnerabilities

Jenkins Nomad2 vulnerabilities

Jenkins Openid2 vulnerabilities

Jenkins Bumblebee Hp Alm2 vulnerabilities

Jenkins Cadence Vmanager2 vulnerabilities

Jenkins P42 vulnerabilities

Jenkins Gitlab Oauth2 vulnerabilities

Jenkins Html Publisher2 vulnerabilities

Jenkins Inedo Proget2 vulnerabilities

Jenkins Reviewbot2 vulnerabilities

Jenkins Inedo Buildmaster2 vulnerabilities

Jenkins Google Login2 vulnerabilities

Jenkins Junit2 vulnerabilities

Jenkins Kubernetes Pipeline2 vulnerabilities

Jenkins Lockable Resources2 vulnerabilities

Jenkins Credentials2 vulnerabilities

Jenkins Mailer2 vulnerabilities

Jenkins Dashboard View2 vulnerabilities

Jenkins M2release2 vulnerabilities

Jenkins Deploy Weblogic2 vulnerabilities

@jenkinsci Tweets

Automating Jenkins Pipelines management with Jenkins Job Builder: https://t.co/lRVv1SzJg8 https://t.co/HFr8v0DRsk
Sun May 16 15:08:54 +0000 2021

RT @iced_burn: #linux #jenkins #configuration #configurationasacode #howto ⁦@jenkinsci⁩ “Jenkins Configuration As Code” https://t.co/1WVJa…
Sun May 16 13:16:52 +0000 2021

RT @CDeliveryFdn: Plan to attend the @jenkinsci Contributor Summit on June 25! #cdCon https://t.co/FfxkwNprZZ https://t.co/mbrKsrP0kA
Sat May 15 20:28:37 +0000 2021

RT @lambdatesting: Now it's time for the next part of @jenkinsci Tutorial for Beginners by @tech_with_moss He's back with another #tutorial…
Sat May 15 20:18:55 +0000 2021

Jenkins Enhancement Proposal (JEP-229) by @tyvole: Continuous Delivery of Jenkins Components and Plugins. Feedback… https://t.co/WT1e44LwUN
Sat May 15 14:33:39 +0000 2021

By the Year

In 2021 there have been 48 vulnerabilities in Jenkins with an average score of 5.9 out of ten. Last year Jenkins had 171 security vulnerabilities published. Right now, Jenkins is on track to have less security vulnerabilities in 2021 than it did last year. Last year, the average CVE base score was greater by 0.16

Year Vulnerabilities Average Score
2021 48 5.90
2020 171 6.06
2019 340 6.91
2018 119 6.46

It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Jenkins Security Vulnerabilities

Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets

CVE-2021-21649 5.4 - Medium - May 11, 2021

Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

XSS

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides

CVE-2021-21648 6.1 - Medium - May 11, 2021

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.

XSS

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21642 8.1 - High - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints

CVE-2021-21643 6.5 - Medium - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21647 4.3 - Medium - April 21, 2021

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier

CVE-2021-21644 5.4 - Medium - April 21, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

Session Riding

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin

CVE-2021-21646 8.8 - High - April 21, 2021

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints

CVE-2021-21645 4.3 - Medium - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier

CVE-2021-21641 4.3 - Medium - April 07, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.

Session Riding

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node

CVE-2021-21639 4.3 - Medium - April 07, 2021

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

Improper Input Validation

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check

CVE-2021-21640 4.3 - Medium - April 07, 2021

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.

Improper Handling of Inconsistent Structural Elements

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions

CVE-2021-21628 5.4 - Medium - March 30, 2021

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier

CVE-2021-21629 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

Session Riding

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column

CVE-2021-21630 5.4 - Medium - March 30, 2021

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21631 4.3 - Medium - March 30, 2021

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

AuthZ

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier

CVE-2021-21632 6.5 - Medium - March 30, 2021

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier

CVE-2021-21633 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

Session Riding

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21634 6.5 - Medium - March 30, 2021

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript

CVE-2021-21635 5.4 - Medium - March 30, 2021

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21636 4.3 - Medium - March 30, 2021

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21637 6.5 - Medium - March 30, 2021

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21638 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier

CVE-2021-21623 6.5 - Medium - March 18, 2021

An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

AuthZ

An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier

CVE-2021-21624 4.3 - Medium - March 18, 2021

An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

AuthZ

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints

CVE-2021-21625 4.3 - Medium - March 18, 2021

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

AuthZ

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation

CVE-2021-21626 4.3 - Medium - March 18, 2021

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier

CVE-2021-21627 8.8 - High - March 18, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.

Session Riding

Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values

CVE-2021-21616 4.6 - Medium - February 24, 2021

Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds

CVE-2021-21618 5.4 - Medium - February 24, 2021

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information

CVE-2021-21621 5.3 - Medium - February 24, 2021

Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.

Information Disclosure

A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier

CVE-2021-21617 8.8 - High - February 24, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.

Session Riding

Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either

CVE-2021-21619 5.4 - Medium - February 24, 2021

Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier

CVE-2021-21620 4.3 - Medium - February 24, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.

Session Riding

Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions

CVE-2021-21622 5.4 - Medium - February 24, 2021

Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins 2.275 and LTS 2.263.2

CVE-2021-21615 5.3 - Medium - January 26, 2021

Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

TOCTTOU

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier

CVE-2021-21602 6.5 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

insecure temporary file

Jenkins 2.274 and earlier

CVE-2021-21603 5.4 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

XSS

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor

CVE-2021-21604 8 - High - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Marshaling, Unmarshaling

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names

CVE-2021-21605 8 - High - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

Improper Input Validation

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence

CVE-2021-21606 4.3 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

Improper Input Validation

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs

CVE-2021-21607 6.5 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

Allocation of Resources Without Limits or Throttling

Jenkins 2.274 and earlier

CVE-2021-21608 5.4 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

XSS

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths

CVE-2021-21609 5.3 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

AuthZ

Jenkins 2.274 and earlier

CVE-2021-21610 6.1 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

XSS

Jenkins 2.274 and earlier

CVE-2021-21611 5.4 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

XSS

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21612 5.5 - Medium - January 13, 2021

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21614 5.5 - Medium - January 13, 2021

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses

CVE-2021-21613 6.1 - Medium - January 13, 2021

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

XSS

Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.

CVE-2020-2320 9.8 - Critical - December 03, 2020

Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.

Download of Code Without Integrity Check

A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier

CVE-2020-2321 8.1 - High - December 03, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.

Session Riding

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2324 7.5 - High - December 03, 2020

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Active Directory Plugin 2.19 and earlier

CVE-2020-2299 9.8 - Critical - November 04, 2020

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password.

authentification

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which

CVE-2020-2300 9.8 - Critical - November 04, 2020

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.

authentification

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of

CVE-2020-2301 9.8 - Critical - November 04, 2020

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode.

authentification

A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier

CVE-2020-2302 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier

CVE-2020-2303 4.3 - Medium - November 04, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

Session Riding

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2304 6.5 - Medium - November 04, 2020

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2305 6.5 - Medium - November 04, 2020

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier

CVE-2020-2306 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

AuthZ

Jenkins Kubernetes Plugin 1.27.3 and earlier

CVE-2020-2307 4.3 - Medium - November 04, 2020

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

Information Disclosure

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier

CVE-2020-2308 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.

AuthZ

A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier

CVE-2020-2309 4.3 - Medium - November 04, 2020

A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier

CVE-2020-2310 4.3 - Medium - November 04, 2020

Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier

CVE-2020-2311 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.

AuthZ

Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.

CVE-2020-2312 6.5 - Medium - November 04, 2020

Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.

Insufficiently Protected Credentials

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier

CVE-2020-2313 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it

CVE-2020-2314 5.5 - Medium - November 04, 2020

Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2315 6.5 - Medium - November 04, 2020

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips

CVE-2020-2316 5.4 - Medium - November 04, 2020

Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips

CVE-2020-2317 5.4 - Medium - November 04, 2020

Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.

XSS

Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they

CVE-2020-2318 6.5 - Medium - November 04, 2020

Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it

CVE-2020-2319 6.5 - Medium - November 04, 2020

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed

CVE-2020-2286 8.8 - High - October 08, 2020

Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.

AuthZ

Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs

CVE-2020-2287 5.3 - Medium - October 08, 2020

Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL.

Interaction Error

In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL

CVE-2020-2288 5.3 - Medium - October 08, 2020

In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

Incorrect Regular Expression

Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters

CVE-2020-2289 5.4 - Medium - October 08, 2020

Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters

CVE-2020-2290 5.4 - Medium - October 08, 2020

Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it

CVE-2020-2291 3.3 - Low - October 08, 2020

Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip

CVE-2020-2292 5.4 - Medium - October 08, 2020

Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

XSS

Jenkins Persona Plugin 2.4 and earlier

CVE-2020-2293 6.5 - Medium - October 08, 2020

Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

Directory traversal

A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier

CVE-2020-2296 4.3 - Medium - October 08, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.

Session Riding

Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it

CVE-2020-2297 3.3 - Low - October 08, 2020

Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2298 6.5 - Medium - October 08, 2020

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content

CVE-2020-2279 9.9 - Critical - September 23, 2020

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.

A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier

CVE-2020-2280 8.8 - High - September 23, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.

Session Riding

A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier

CVE-2020-2281 5.4 - Medium - September 23, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.

Session Riding

Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint

CVE-2020-2282 4.3 - Medium - September 23, 2020

Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin.

AuthZ

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents

CVE-2020-2283 5.4 - Medium - September 23, 2020

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control changeset files evaluated by the plugin.

XSS

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2284 7.1 - High - September 23, 2020

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier

CVE-2020-2285 4.3 - Medium - September 23, 2020

A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server.

CVE-2020-2252 4.8 - Medium - September 16, 2020

Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server.

Improper Certificate Validation

Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.

CVE-2020-2253 4.8 - Medium - September 16, 2020

Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.

Improper Certificate Validation

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag

CVE-2020-2254 6.5 - Medium - September 16, 2020

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.

Directory traversal

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier

CVE-2020-2255 4.3 - Medium - September 16, 2020

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

AuthZ

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause

CVE-2020-2256 5.4 - Medium - September 16, 2020

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view

CVE-2020-2258 4.3 - Medium - September 16, 2020

Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

AuthZ

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips

CVE-2020-2262 5.4 - Medium - September 16, 2020

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

XSS

Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page

CVE-2020-2238 5.4 - Medium - September 01, 2020

Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips

CVE-2020-2243 5.4 - Medium - September 01, 2020

Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

XSS

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response

CVE-2020-2244 5.4 - Medium - September 01, 2020

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.