Jenkins Jenkins CI / CD Server
stack.watch can notify you when security vulnerabilities are reported in any Jenkins product. You can add multiple products that you use with Jenkins to create your own personal software stack watcher.
Products by Jenkins Sorted by Most Security Vulnerabilities since 2018
@jenkinsci Tweets
Online Meetup on July 14: "Jenkins Operator on OpenShift". @BobadeVibhav will present how to use #JenkinsOperator o… https://t.co/FtzvEcYGsn
Tue Jul 07 15:10:34 +0000 2020
Tue Jul 07 15:10:34 +0000 2020
RT @RedHatStorage: Quick—Learn to speed #CICD pipelines! If you're using pipelines & #Jenkins w/@kubernetesio & GitHub to automate the app…
Mon Jul 06 16:41:01 +0000 2020
Mon Jul 06 16:41:01 +0000 2020
We have updated the Jenkins Code of Conduct to Contributor Covenant 2.0. We are committed to foster an open, divers… https://t.co/CED4Ce29Qn
Mon Jul 06 11:55:43 +0000 2020
Mon Jul 06 11:55:43 +0000 2020
RT @Lothar_May: I've written a tutorial for #UE4 cross platform build automation with #Jenkins: https://t.co/2YN2qnPQQK This is basically a…
Sat Jul 04 20:51:07 +0000 2020
Sat Jul 04 20:51:07 +0000 2020
RT @grEvenX: Another awesome update from the great people working on the @jenkinsci system. This will make the chore of upgrading plugins m…
Fri Jul 03 22:28:40 +0000 2020
Fri Jul 03 22:28:40 +0000 2020
By the Year
In 2020 there have been 104 vulnerabilities in Jenkins with an average score of 6.3 out of ten. Last year Jenkins had 340 security vulnerabilities published. Right now, Jenkins is on track to have less security vulerabilities in 2020 than it did last year. Last year, the average CVE base score was greater by 0.76
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2020 | 104 | 6.27 |
| 2019 | 340 | 7.02 |
| 2018 | 113 | 6.52 |
It may take a day or so for new Jenkins vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest Jenkins Security Vulnerabilities
A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods
CVE-2020-2202
4.3 - Medium
- July 02, 2020
A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
Incorrect Permission Assignment for Critical Resource
Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2211
8.8 - High
- July 02, 2020
Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Marshaling, Unmarshaling
A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier
CVE-2020-2216
4.3 - Medium
- July 02, 2020
A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password.
AuthZ
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier
CVE-2020-2215
4.3 - Medium
- July 02, 2020
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.
352
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
CVE-2020-2197
4.3 - Medium
- June 03, 2020
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
Incorrect Default Permissions
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
CVE-2020-2198
6.5 - Medium
- June 03, 2020
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
Insufficiently Protected Credentials
Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page
CVE-2020-2190
5.4 - Medium
- June 03, 2020
Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.
XSS
Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents
CVE-2020-2185
5.6 - Medium
- May 06, 2020
Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier
CVE-2020-2186
4.3 - Medium
- May 06, 2020
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
352
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation
CVE-2020-2187
5.6 - Medium
- May 06, 2020
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.
Improper Certificate Validation
A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods
CVE-2020-2188
4.3 - Medium
- May 06, 2020
A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
AuthZ
Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks
CVE-2020-2183
6.5 - Medium
- May 06, 2020
Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.
Incorrect Default Permissions
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e
CVE-2020-2181
6.5 - Medium
- May 06, 2020
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
Insufficiently Protected Credentials
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e
CVE-2020-2182
4.3 - Medium
- May 06, 2020
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.
Insufficiently Protected Credentials
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier
CVE-2020-2184
4.3 - Medium
- May 06, 2020
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
352
Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2189
8.8 - High
- May 06, 2020
Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Marshaling, Unmarshaling
Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2180
8.8 - High
- April 16, 2020
Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Marshaling, Unmarshaling
Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they
CVE-2020-2177
4.3 - Medium
- April 16, 2020
Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Cleartext Storage of Sensitive Information
Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2178
7.1 - High
- April 16, 2020
Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2179
8.8 - High
- April 16, 2020
Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Marshaling, Unmarshaling
Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output
CVE-2020-2174
6.1 - Medium
- April 07, 2020
Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.
XSS
Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2172
6.5 - Medium
- April 07, 2020
Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XEE
Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI
CVE-2020-2175
5.4 - Medium
- April 07, 2020
Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.
XSS
Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers
CVE-2020-2173
5.4 - Medium
- April 07, 2020
Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.
XSS
Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received
CVE-2020-2176
5.4 - Medium
- April 07, 2020
Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.
XSS
Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2168
8.8 - High
- March 25, 2020
Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Improper Input Validation
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs
CVE-2020-2160
8.8 - High
- March 25, 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
352
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels
CVE-2020-2161
5.4 - Medium
- March 25, 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
XSS
Jenkins 2.227 and earlier
CVE-2020-2162
5.4 - Medium
- March 25, 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
XSS
Jenkins 2.227 and earlier
CVE-2020-2163
5.4 - Medium
- March 25, 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.
XSS
Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2167
8.8 - High
- March 25, 2020
Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Improper Input Validation
Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2166
8.8 - High
- March 25, 2020
Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Improper Input Validation
A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message
CVE-2020-2169
6.1 - Medium
- March 25, 2020
A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.
XSS
Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained
CVE-2020-2170
5.4 - Medium
- March 25, 2020
Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.
XSS
Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2171
8.8 - High
- March 25, 2020
Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation
CVE-2020-2140
6.1 - Medium
- March 09, 2020
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
XSS
Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms
CVE-2020-2153
4.3 - Medium
- March 09, 2020
Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2138
7.1 - High
- March 09, 2020
Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier
CVE-2020-2139
6.5 - Medium
- March 09, 2020
An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system.
Directory traversal
Jenkins CryptoMove Plugin 0.1.33 and earlier
CVE-2020-2159
8.8 - High
- March 09, 2020
Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.
Shell injection
Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms
CVE-2020-2156
4.3 - Medium
- March 09, 2020
Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation
CVE-2020-2136
5.4 - Medium
- March 09, 2020
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
XSS
Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2158
8.8 - High
- March 09, 2020
Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Marshaling, Unmarshaling
Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form
CVE-2020-2143
5.3 - Medium
- March 09, 2020
Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin
CVE-2020-2146
7.4 - High
- March 09, 2020
Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.
Improper Verification of Cryptographic Signature
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier
CVE-2020-2147
4.3 - Medium
- March 09, 2020
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
352
A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier
CVE-2020-2148
4.3 - Medium
- March 09, 2020
A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
AuthZ
Jenkins OpenShift Deployer Plugin 1.2.0 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form
CVE-2020-2155
5.3 - Medium
- March 09, 2020
Jenkins OpenShift Deployer Plugin 1.2.0 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier
CVE-2020-2141
4.3 - Medium
- March 09, 2020
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.
352
A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier
CVE-2020-2142
4.3 - Medium
- March 09, 2020
A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.
AuthZ
Jenkins Quality Gates Plugin 2.5 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form
CVE-2020-2151
5.3 - Medium
- March 09, 2020
Jenkins Quality Gates Plugin 2.5 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Repository Connector Plugin 1.2.6 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form
CVE-2020-2149
5.3 - Medium
- March 09, 2020
Jenkins Repository Connector Plugin 1.2.6 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2144
7.1 - High
- March 09, 2020
Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.
CVE-2020-2134
8.8 - High
- March 09, 2020
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.
AuthZ
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects
CVE-2020-2135
8.8 - High
- March 09, 2020
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.
AuthZ
Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms
CVE-2020-2157
4.3 - Medium
- March 09, 2020
Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Sonar Quality Gates Plugin 1.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form
CVE-2020-2150
5.3 - Medium
- March 09, 2020
Jenkins Sonar Quality Gates Plugin 1.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Cleartext Transmission of Sensitive Information
Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation
CVE-2020-2152
6.1 - Medium
- March 09, 2020
Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
XSS
Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output
CVE-2020-2137
4.8 - Medium
- March 09, 2020
Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
XSS
Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system.
CVE-2020-2145
5.5 - Medium
- March 09, 2020
Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system.
Insufficiently Protected Credentials
Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.
CVE-2020-2154
5.5 - Medium
- March 09, 2020
Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.
Cleartext Storage of Sensitive Information
Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it
CVE-2020-2133
6.5 - Medium
- February 12, 2020
Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Insufficiently Protected Credentials
Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form
CVE-2020-2119
5.3 - Medium
- February 12, 2020
Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
Insufficiently Protected Credentials
Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they
CVE-2020-2127
4.3 - Medium
- February 12, 2020
Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
Insufficiently Protected Credentials
Jenkins Brakeman Plugin 0.12 and earlier did not escape values received
CVE-2020-2122
5.4 - Medium
- February 12, 2020
Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.
XSS
Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it
CVE-2020-2125
4.3 - Medium
- February 12, 2020
Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Insufficiently Protected Credentials
Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it
CVE-2020-2126
4.3 - Medium
- February 12, 2020
Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.
Insufficiently Protected Credentials
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it
CVE-2020-2124
4.3 - Medium
- February 12, 2020
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Insufficiently Protected Credentials
Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it
CVE-2020-2129
6.5 - Medium
- February 12, 2020
Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Insufficiently Protected Credentials
Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it
CVE-2020-2128
4.3 - Medium
- February 12, 2020
Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Insufficiently Protected Credentials
Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2120
8.8 - High
- February 12, 2020
Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI
CVE-2020-2112
5.4 - Medium
- February 12, 2020
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
XSS
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI
CVE-2020-2113
5.4 - Medium
- February 12, 2020
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
XSS
Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2121
8.8 - High
- February 12, 2020
Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it
CVE-2020-2130
6.5 - Medium
- February 12, 2020
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Insufficiently Protected Credentials
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they
CVE-2020-2131
6.5 - Medium
- February 12, 2020
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Insufficiently Protected Credentials
Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2115
8.8 - High
- February 12, 2020
Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it
CVE-2020-2132
6.5 - Medium
- February 12, 2020
Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Insufficiently Protected Credentials
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier
CVE-2020-2109
9.9 - Critical
- February 12, 2020
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
Improper Input Validation
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier
CVE-2020-2116
8.8 - High
- February 12, 2020
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
352
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier
CVE-2020-2117
4.3 - Medium
- February 12, 2020
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Incorrect Default Permissions
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods
CVE-2020-2118
4.3 - Medium
- February 12, 2020
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
Incorrect Default Permissions
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types
CVE-2020-2123
8.8 - High
- February 12, 2020
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Marshaling, Unmarshaling
Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form
CVE-2020-2114
7.5 - High
- February 12, 2020
Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
Insufficiently Protected Credentials
Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.
CVE-2020-2110
9.9 - Critical
- February 12, 2020
Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.
Improper Input Validation
Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation
CVE-2020-2111
5.4 - Medium
- February 12, 2020
Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.
XSS
Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view
CVE-2020-2106
5.4 - Medium
- January 29, 2020
Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.
XSS
Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they
CVE-2020-2107
4.3 - Medium
- January 29, 2020
Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Insufficiently Protected Credentials
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3
CVE-2020-2099
8.6 - High
- January 29, 2020
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
Use of Insufficiently Random Values
Jenkins 2.218 and earlier
CVE-2020-2100
5.8 - Medium
- January 29, 2020
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially
CVE-2020-2101
5.3 - Medium
- January 29, 2020
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
Information Exposure Through Discrepancy
Jenkins 2.218 and earlier
CVE-2020-2102
5.3 - Medium
- January 29, 2020
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
Information Exposure Through Discrepancy
Jenkins 2.218 and earlier
CVE-2020-2103
5.4 - Medium
- January 29, 2020
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
Information Leak
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier
CVE-2020-2104
4.3 - Medium
- January 29, 2020
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.
AuthZ
REST API endpoints in Jenkins 2.218 and earlier
CVE-2020-2105
5.4 - Medium
- January 29, 2020
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
1021
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks
CVE-2020-2108
7.6 - High
- January 29, 2020
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.
XXE
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier
CVE-2020-2090
8.8 - High
- January 15, 2020
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
352
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier
CVE-2020-2091
8.1 - High
- January 15, 2020
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
Incorrect Default Permissions
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint
CVE-2020-2096
6.1 - Medium
- January 15, 2020
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
XSS
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier
CVE-2020-2093
8.8 - High
- January 15, 2020
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.
352