Jenkins Jenkins CI / CD Server
Products by Jenkins Sorted by Most Security Vulnerabilities since 2018
Recent Jenkins Security Advisories
Known Exploited Jenkins Vulnerabilities
The following Jenkins vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Jenkins User Interface (UI) Information Disclosure Vulnerability | Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages. CVE-2015-5317 | May 12, 2023 |
Jenkins Script Security Plugin Sandbox Bypass Vulnerability | Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. CVE-2019-1003029 | April 25, 2022 |
Jenkins Matrix Project Plugin Remote Code Execution Vulnerability | Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. CVE-2019-1003030 | March 25, 2022 |
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability | A code execution vulnerability exists in the Stapler web framework used by Jenkins CVE-2018-1000861 | February 10, 2022 |
By the Year
In 2023 there have been 131 vulnerabilities in Jenkins with an average score of 6.5 out of ten. Last year Jenkins had 381 security vulnerabilities published. Right now, Jenkins is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.30.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 131 | 6.46 |
2022 | 381 | 6.16 |
2021 | 102 | 6.50 |
2020 | 173 | 6.09 |
2019 | 341 | 6.88 |
2018 | 120 | 6.45 |
It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Security Vulnerabilities
A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier
CVE-2023-2195
3.5 - Low
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL.
Session Riding
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier
CVE-2023-2631
4.3 - Medium
- May 16, 2023
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
Session Riding
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier
CVE-2023-2196
4.3 - Medium
- May 16, 2023
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.
Directory traversal
Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they
CVE-2023-2632
4.3 - Medium
- May 16, 2023
Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Insufficiently Protected Credentials
Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form
CVE-2023-2633
4.3 - Medium
- May 16, 2023
Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.
Insufficiently Protected Credentials
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier
CVE-2023-32996
4.3 - Medium
- May 16, 2023
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.
Incorrect Default Permissions
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier
CVE-2023-32999
4.3 - Medium
- May 16, 2023
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
Incorrect Default Permissions
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form
CVE-2023-33000
7.5 - High
- May 16, 2023
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.
Insufficiently Protected Credentials
Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata
CVE-2023-32994
3.7 - Low
- May 16, 2023
Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
Improper Certificate Validation
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
CVE-2023-32997
8.8 - High
- May 16, 2023
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
Session Fixation
A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier
CVE-2023-32998
8.8 - High
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
Session Riding
A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier
CVE-2023-33006
5.4 - Medium
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account.
Session Riding
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier
CVE-2023-32990
6.5 - Medium
- May 16, 2023
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.
Incorrect Permission Assignment for Critical Resource
A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier
CVE-2023-32991
8.8 - High
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.
Session Riding
Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier
CVE-2023-32992
8.8 - High
- May 16, 2023
Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.
Incorrect Permission Assignment for Critical Resource
Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata
CVE-2023-32993
4.8 - Medium
- May 16, 2023
Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
Insufficient Verification of Data Authenticity
A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier
CVE-2023-32995
8.8 - High
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.
Session Riding
Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e
CVE-2023-33001
7.5 - High
- May 16, 2023
Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
Insertion of Sensitive Information into Log File
Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name
CVE-2023-33002
5.4 - Medium
- May 16, 2023
Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier
CVE-2023-33003
4.3 - Medium
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers to reset profiler statistics.
Session Riding
A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier
CVE-2023-33004
4.3 - Medium
- May 16, 2023
A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers with Overall/Read permission to reset profiler statistics.
Incorrect Permission Assignment for Critical Resource
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.
CVE-2023-33005
5.4 - Medium
- May 16, 2023
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.
Insufficient Session Expiration
Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name
CVE-2023-33007
5.4 - Medium
- May 16, 2023
Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
XSS
Jenkins Pipeline: Job Plugin does not escape the display name of the build
CVE-2023-32977
5.4 - Medium
- May 16, 2023
Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin
CVE-2023-32978
4.3 - Medium
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.
Session Riding
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation
CVE-2023-32979
4.3 - Medium
- May 16, 2023
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.
Incorrect Permission Assignment for Critical Resource
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin
CVE-2023-32980
4.3 - Medium
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.
Session Riding
An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier
CVE-2023-32981
9.8 - Critical
- May 16, 2023
An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.
Memory Corruption
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they
CVE-2023-32982
4.3 - Medium
- May 16, 2023
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Missing Encryption of Sensitive Data
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form
CVE-2023-32983
5.3 - Medium
- May 16, 2023
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.
Cleartext Storage of Sensitive Information
Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values
CVE-2023-32984
5.4 - Medium
- May 16, 2023
Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file.
XSS
Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation
CVE-2023-32985
4.3 - Medium
- May 16, 2023
Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Directory traversal
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters
CVE-2023-32986
8.8 - High
- May 16, 2023
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
Incorrect Permission Assignment for Critical Resource
A cross-site request forgery (CSRF) vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier
CVE-2023-32987
8.8 - High
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.
Session Riding
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier
CVE-2023-32988
4.3 - Medium
- May 16, 2023
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Insufficiently Protected Credentials
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier
CVE-2023-32989
8.8 - High
- May 16, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.
Session Riding
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e
CVE-2023-30513
7.5 - High
- April 12, 2023
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
Cleartext Transmission of Sensitive Information
Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e
CVE-2023-30514
7.5 - High
- April 12, 2023
Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
Cleartext Transmission of Sensitive Information
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e
CVE-2023-30515
7.5 - High
- April 12, 2023
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
Cleartext Transmission of Sensitive Information
Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters
CVE-2023-30516
6.5 - Medium
- April 12, 2023
Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation disabled by default.
Improper Certificate Validation
Jenkins NeuVector Vulnerability S
CVE-2023-30517
5.3 - Medium
- April 12, 2023
Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.
Improper Certificate Validation
Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted
CVE-2023-30520
5.4 - Medium
- April 12, 2023
Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads.
XSS
A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier
CVE-2023-30532
6.5 - Medium
- April 12, 2023
A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.
AuthZ
Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it
CVE-2023-30530
4.3 - Medium
- April 12, 2023
Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Cleartext Storage of Sensitive Information
Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form
CVE-2023-30531
6.5 - Medium
- April 12, 2023
Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.
Cleartext Storage of Sensitive Information
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier
CVE-2023-30518
4.3 - Medium
- April 12, 2023
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier
CVE-2023-30519
5.3 - Medium
- April 12, 2023
A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
AuthZ
A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier
CVE-2023-30521
5.3 - Medium
- April 12, 2023
A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
AuthZ
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier
CVE-2023-30522
4.3 - Medium
- April 12, 2023
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.
AuthZ
Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they
CVE-2023-30523
4.3 - Medium
- April 12, 2023
Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Cleartext Storage of Sensitive Information
Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form
CVE-2023-30524
4.3 - Medium
- April 12, 2023
Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them.
A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier
CVE-2023-30525
8.8 - High
- April 12, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication.
Session Riding
A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier
CVE-2023-30526
6.5 - Medium
- April 12, 2023
A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.
AuthZ
Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it
CVE-2023-30527
4.3 - Medium
- April 12, 2023
Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Cleartext Storage of Sensitive Information
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form
CVE-2023-30528
6.5 - Medium
- April 12, 2023
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.
Cleartext Storage of Sensitive Information
Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint
CVE-2023-30529
4.3 - Medium
- April 12, 2023
Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database.
Session Riding
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration
CVE-2023-28677
9.8 - Critical
- April 02, 2023
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.
Command Injection
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28681
8.2 - High
- April 02, 2023
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28682
8.2 - High
- April 02, 2023
Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28683
8.2 - High
- April 02, 2023
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28684
6.5 - Medium
- April 02, 2023
Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier
CVE-2023-28673
4.3 - Medium
- April 02, 2023
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier
CVE-2023-28674
8.8 - High
- April 02, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
Session Riding
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier
CVE-2023-28675
4.3 - Medium
- April 02, 2023
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier
CVE-2023-28676
8.8 - High
- April 02, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).
Session Riding
Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names
CVE-2023-28678
5.4 - Medium
- April 02, 2023
Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.
XSS
Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature
CVE-2023-28679
5.4 - Medium
- April 02, 2023
Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.
XSS
Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28680
7.5 - High
- April 02, 2023
Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript
CVE-2023-28670
5.4 - Medium
- April 02, 2023
Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier
CVE-2023-28671
4.3 - Medium
- April 02, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Session Riding
Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint
CVE-2023-28672
6.5 - Medium
- April 02, 2023
Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AuthZ
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.
CVE-2023-28668
9.8 - Critical
- April 02, 2023
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.
Improper Preservation of Permissions
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI
CVE-2023-28669
5.4 - Medium
- April 02, 2023
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.
XSS
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28685
7.1 - High
- March 22, 2023
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which
CVE-2023-27902
4.3 - Medium
- March 10, 2023
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.
Jenkins 2.270 through 2.393 (both inclusive)
CVE-2023-27898
9.6 - Critical
- March 10, 2023
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
XSS
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially
CVE-2023-27899
7 - High
- March 10, 2023
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.
AuthZ
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser
CVE-2023-27900
7.5 - High
- March 10, 2023
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
Allocation of Resources Without Limits or Throttling
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl
CVE-2023-27901
7.5 - High
- March 10, 2023
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
Allocation of Resources Without Limits or Throttling
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially
CVE-2023-27903
4.4 - Medium
- March 10, 2023
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.
AuthZ
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration
CVE-2023-27904
5.3 - Medium
- March 10, 2023
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.
Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization
CVE-2023-27905
9.6 - Critical
- March 10, 2023
Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.
XSS
A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier
CVE-2023-23850
4.3 - Medium
- February 15, 2023
A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Incorrect Default Permissions
Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier
CVE-2023-23848
4.3 - Medium
- February 15, 2023
Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Incorrect Default Permissions
A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier
CVE-2023-23847
3.5 - Low
- February 15, 2023
A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Session Riding
A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier
CVE-2023-25766
4.3 - Medium
- February 15, 2023
A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection
CVE-2023-25765
9.9 - Critical
- February 15, 2023
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Protection Mechanism Failure
Jenkins Email Extension Plugin 2.93 and earlier does not escape
CVE-2023-25764
5.4 - Medium
- February 15, 2023
Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.
XSS
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator
CVE-2023-25762
5.4 - Medium
- February 15, 2023
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.
XSS
Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates
CVE-2023-25763
5.4 - Medium
- February 15, 2023
Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier
CVE-2023-25767
8.8 - High
- February 15, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server.
Session Riding
A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier
CVE-2023-25768
6.5 - Medium
- February 15, 2023
A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
AuthZ
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions
CVE-2023-25761
5.4 - Medium
- February 15, 2023
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
XSS
Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation
CVE-2023-24449
4.3 - Medium
- January 26, 2023
Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Directory traversal
Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-24441
9.8 - Critical
- January 26, 2023
Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier
CVE-2023-24448
6.5 - Medium
- January 26, 2023
A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier
CVE-2023-24447
8.8 - High
- January 26, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.
Session Riding
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier
CVE-2023-24446
8.8 - High
- January 26, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.
Session Riding
Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-24443
9.8 - Critical
- January 26, 2023
Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier
CVE-2023-24437
8.8 - High
- January 26, 2023
A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Session Riding