Jenkins Jenkins CI / CD Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Jenkins product.
RSS Feeds for Jenkins security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Jenkins products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Jenkins Sorted by Most Security Vulnerabilities since 2018
Recent Jenkins Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2025-07-09 | Jenkins Security Advisory 2025-07-09 | July 9, 2025 |
| 2025-06-06 | Jenkins Security Advisory 2025-06-06 | June 6, 2025 |
| 2025-05-14 | Jenkins Security Advisory 2025-05-14 | May 14, 2025 |
| 2025-04-10 | Jenkins Security Advisory 2025-04-10 | April 10, 2025 |
| 2025-04-02 | Jenkins Security Advisory 2025-04-02 | April 2, 2025 |
| 2025-03-19 | Jenkins Security Advisory 2025-03-19 | March 19, 2025 |
| 2025-03-05 | Jenkins Security Advisory 2025-03-05 | March 5, 2025 |
| 2025-01-22 | Jenkins Security Advisory 2025-01-22 | January 22, 2025 |
| 2024-11-27 | Jenkins Security Advisory 2024-11-27 | November 27, 2024 |
| 2024-11-13 | Jenkins Security Advisory 2024-11-13 | November 13, 2024 |
Known Exploited Jenkins Vulnerabilities
The following Jenkins vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Jenkins Command Line Interface (CLI) Path Traversal Vulnerability |
Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution. CVE-2024-23897 Exploit Probability: 94.5% |
August 19, 2024 |
| Jenkins User Interface (UI) Information Disclosure Vulnerability |
Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages. CVE-2015-5317 Exploit Probability: 28.6% |
May 12, 2023 |
| Jenkins Script Security Plugin Sandbox Bypass Vulnerability |
Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. CVE-2019-1003029 Exploit Probability: 92.7% |
April 25, 2022 |
| Jenkins Matrix Project Plugin Remote Code Execution Vulnerability |
Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. CVE-2019-1003030 Exploit Probability: 92.8% |
March 25, 2022 |
| Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability |
A code execution vulnerability exists in the Stapler web framework used by Jenkins CVE-2018-1000861 Exploit Probability: 94.5% |
February 10, 2022 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2015-5317: Jenkins User Interface (UI) Information Disclosure Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.
By the Year
In 2025 there have been 34 vulnerabilities in Jenkins. Last year, in 2024 Jenkins had 31 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2025 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 34 | 0.00 |
| 2024 | 31 | 6.18 |
| 2023 | 255 | 6.36 |
| 2022 | 389 | 6.16 |
| 2021 | 102 | 6.51 |
| 2020 | 227 | 6.00 |
| 2019 | 341 | 6.88 |
| 2018 | 120 | 6.45 |
It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Security Vulnerabilities
Jenkins Aqua Security S
CVE-2025-53653
- July 09, 2025
Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it
CVE-2025-53654
- July 09, 2025
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form
CVE-2025-53655
- July 09, 2025
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they
CVE-2025-53656
- July 09, 2025
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys
CVE-2025-53657
- July 09, 2025
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page
CVE-2025-53658
- July 09, 2025
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they
CVE-2025-53659
- July 09, 2025
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form
CVE-2025-53660
- July 09, 2025
Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form
CVE-2025-53661
- July 09, 2025
Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they
CVE-2025-53662
- July 09, 2025
Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they
CVE-2025-53663
- July 09, 2025
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token
CVE-2025-47884
- May 14, 2025
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.
Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses
CVE-2025-47885
- May 14, 2025
Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses.
A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier
CVE-2025-47886
- May 14, 2025
A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.
Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier
CVE-2025-47887
- May 14, 2025
Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.
Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.
CVE-2025-47888
- May 14, 2025
Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames
CVE-2025-47889
- May 14, 2025
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.
In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys
CVE-2025-32754
- April 10, 2025
In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys
CVE-2025-32755
- April 10, 2025
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they
CVE-2025-31725
- April 02, 2025
Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they
CVE-2025-31726
- April 02, 2025
Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they
CVE-2025-31727
- April 02, 2025
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form
CVE-2025-31728
- April 02, 2025
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier
CVE-2025-31720
- April 02, 2025
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier
CVE-2025-31721
- April 02, 2025
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection
CVE-2025-31722
- April 02, 2025
In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier
CVE-2025-31723
- April 02, 2025
A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order.
Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they
CVE-2025-31724
- April 02, 2025
Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI
CVE-2025-27622
- March 05, 2025
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI
CVE-2025-27623
- March 05, 2025
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier
CVE-2025-27624
- March 05, 2025
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).
In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL
CVE-2025-27625
- March 05, 2025
In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret these characters as part of scheme-relative redirects.
Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs
CVE-2025-24398
- January 22, 2025
Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username
CVE-2025-24399
- January 22, 2025
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
Jenkins Pipeline: Groovy Plugin - Unchecked Script Approval Vulnerability
CVE-2024-52550
- November 13, 2024
Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.
Session Fixation Vulnerability in Jenkins OpenId Connect Authentication Plugin
CVE-2024-52553
- November 13, 2024
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml`
CVE-2024-47805
7.5 - High
- October 02, 2024
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
Insufficiently Protected Credentials
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk
CVE-2024-47804
4.3 - Medium
- October 02, 2024
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
Jenkins 2.478 and earlier
CVE-2024-47803
4.3 - Medium
- October 02, 2024
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
Generation of Error Message Containing Sensitive Information
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token
CVE-2024-47806
- October 02, 2024
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token
CVE-2024-47807
- October 02, 2024
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint
CVE-2024-43045
6.3 - Medium
- August 07, 2024
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".
AuthZ
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier
CVE-2024-43044
8.8 - High
- August 07, 2024
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
Improper Check for Unusual or Exceptional Conditions
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered
CVE-2024-34148
- May 02, 2024
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'.
Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views
CVE-2024-28160
- March 06, 2024
Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names
CVE-2024-28156
5.4 - Medium
- March 06, 2024
Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.
XSS
Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints
CVE-2024-28155
4.3 - Medium
- March 06, 2024
Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.
AuthZ
Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.
CVE-2024-28154
6.5 - Medium
- March 06, 2024
Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.
A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier
CVE-2024-28159
- March 06, 2024
A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build.
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names
CVE-2024-28150
- March 06, 2024
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.