Jenkins Jenkins Jenkins CI / CD Server

Do you want an email whenever new security vulnerabilities are reported in any Jenkins product?

Products by Jenkins Sorted by Most Security Vulnerabilities since 2018

Jenkins116 vulnerabilities
Continuous Integration Engine

Jenkins Pipeline28 vulnerabilities

Jenkins Script Security24 vulnerabilities

Jenkins Git12 vulnerabilities

Jenkins Blue Ocean8 vulnerabilities

Jenkins Active Directory7 vulnerabilities

Jenkins Mercurial7 vulnerabilities

Jenkins Rundeck7 vulnerabilities

Jenkins Config File Provider7 vulnerabilities

Jenkins Openshift Deployer7 vulnerabilities

Jenkins Electricflow6 vulnerabilities

Jenkins Repository Connector6 vulnerabilities

Jenkins Amazon Ec26 vulnerabilities

Jenkins Subversion6 vulnerabilities

Jenkins Project Inheritance6 vulnerabilities

Jenkins Xebialabs Xl Deploy6 vulnerabilities

Jenkins Kubernetes6 vulnerabilities

Jenkins Publish Over Ssh5 vulnerabilities

Jenkins Credentials Binding5 vulnerabilities

Jenkins Openid5 vulnerabilities

Jenkins Gitlab5 vulnerabilities

Jenkins Support Core5 vulnerabilities

Jenkins Deployment Dashboard5 vulnerabilities

Jenkins Gerrit Trigger5 vulnerabilities

Jenkins Websphere Deployer5 vulnerabilities

Jenkins Chef Sinatra5 vulnerabilities

Jenkins Promoted Builds5 vulnerabilities

Jenkins Active Choices4 vulnerabilities

Jenkins Kubernetes Ci4 vulnerabilities

Jenkins Rapiddeploy4 vulnerabilities

Jenkins S3 Publisher4 vulnerabilities

Jenkins Github4 vulnerabilities

Jenkins Junit4 vulnerabilities

Jenkins Cons3rt4 vulnerabilities

Jenkins Proxmox4 vulnerabilities

Jenkins Google Login4 vulnerabilities

Jenkins Repo4 vulnerabilities

Jenkins Requests4 vulnerabilities

Jenkins Git Parameter4 vulnerabilities

Jenkins Coverity4 vulnerabilities

Jenkins Liquibase Runner4 vulnerabilities

Jenkins Job Import4 vulnerabilities

Jenkins Matrix Project4 vulnerabilities

Jenkins Mailer4 vulnerabilities

Jenkins Fortify On Demand4 vulnerabilities

Jenkins P44 vulnerabilities

Jenkins Hashicorp Vault4 vulnerabilities

Jenkins Icescrum3 vulnerabilities

Jenkins Rqm3 vulnerabilities

Jenkins Jira3 vulnerabilities

Jenkins Docker3 vulnerabilities

Jenkins Credentials3 vulnerabilities

Jenkins Audit To Database3 vulnerabilities

Jenkins Audit Trail3 vulnerabilities

Jenkins Mac3 vulnerabilities

Jenkins Email Extension3 vulnerabilities

Jenkins Dotci3 vulnerabilities

Jenkins Azure Ad3 vulnerabilities

Jenkins Maven3 vulnerabilities

Jenkins Azure Vm Agents3 vulnerabilities

Jenkins Beaker Builder3 vulnerabilities

Jenkins Recipe3 vulnerabilities

Jenkins Orka By Macstadium3 vulnerabilities

Jenkins Rocketchat Notifier3 vulnerabilities

Jenkins Black Duck Hub3 vulnerabilities

Jenkins Dbcharts3 vulnerabilities

Jenkins Dashboard View3 vulnerabilities

Jenkins Katalon3 vulnerabilities

Jenkins Easyqa3 vulnerabilities

Jenkins Libvirt Slaves3 vulnerabilities

Jenkins Checkmarx3 vulnerabilities

Jenkins Nomad3 vulnerabilities

Jenkins Deployer Framework3 vulnerabilities

Jenkins Openstack Heat3 vulnerabilities

Jenkins Code Coverage Api3 vulnerabilities

Jenkins Ftp Publisher3 vulnerabilities

Recent Jenkins Security Advisories

Advisory Title Published
Jenkins Security Advisory 2023-01-24 January 26, 2023
Jenkins Security Advisory 2022-12-07 December 12, 2022
Jenkins Security Advisory 2022-11-15 November 15, 2022
Jenkins Security Advisory 2022-10-19 October 19, 2022
Jenkins Security Advisory 2022-09-21 September 21, 2022
Jenkins Security Advisory 2022-08-23 August 23, 2022
Jenkins Security Advisory 2022-07-27 July 27, 2022
Jenkins Security Advisory 2015-10-12 July 7, 2022
Jenkins Security Advisory 2022-06-30 June 30, 2022
Jenkins Security Advisory 2022-06-22 June 23, 2022

@jenkinsci Tweets

#Jenkins is ready to submit our @GSOC Mentoring Org application. If you're a potential GSOC contributor, this post… https://t.co/irPYp8200L
Thu Feb 02 17:35:46 +0000 2023

We are excited to be back in person @fosdem this weekend. Visit us at the usual spot, building K level 2. Don't for… https://t.co/GoKLkuS4AM
Wed Feb 01 09:00:32 +0000 2023

RT @horovits: Next week I'll be speaking @fosdem about how we gained #observability into our Jenkins CI/CD pipelines. Check the talk and RS…
Sun Jan 29 12:26:33 +0000 2023

RT @theritikchoure: Very useful playlist by @Njuchi_ on #jenkins for beginners I just watched it, and I have learned - - How to run Jenki…
Thu Jan 26 12:57:52 +0000 2023

The Jenkins security team issued a security advisory today for Jenkins plugins. Read more at https://t.co/3fQIr9GqAm https://t.co/qpVrz0GYXu
Tue Jan 24 16:17:51 +0000 2023

By the Year

In 2023 there have been 26 vulnerabilities in Jenkins with an average score of 7.1 out of ten. Last year Jenkins had 381 security vulnerabilities published. Right now, Jenkins is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.95.

Year Vulnerabilities Average Score
2023 26 7.11
2022 381 6.16
2021 102 6.50
2020 173 6.09
2019 341 6.91
2018 120 6.45

It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Jenkins Security Vulnerabilities

A missing permission check in Jenkins Cisco Spark Notifier Plugin 1.1.1 and earlier

CVE-2023-24451 4.3 - Medium - January 26, 2023

A missing permission check in Jenkins Cisco Spark Notifier Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier

CVE-2023-24431 4.3 - Medium - January 26, 2023

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier

CVE-2023-24432 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier

CVE-2023-24433 6.5 - Medium - January 26, 2023

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier

CVE-2023-24434 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier

CVE-2023-24436 4.3 - Medium - January 26, 2023

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier

CVE-2023-24437 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-24441 9.8 - Critical - January 26, 2023

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they

CVE-2023-24442 5.5 - Medium - January 26, 2023

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Cleartext Storage of Sensitive Information

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-24443 9.8 - Critical - January 26, 2023

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24444 9.8 - Critical - January 26, 2023

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

Improper Resource Shutdown or Release

Jenkins OpenID Plugin 2.4 and earlier improperly determines

CVE-2023-24445 6.1 - Medium - January 26, 2023

Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

Open Redirect

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier

CVE-2023-24446 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

Session Riding

A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier

CVE-2023-24447 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

Session Riding

A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier

CVE-2023-24448 6.5 - Medium - January 26, 2023

A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

AuthZ

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation

CVE-2023-24449 4.3 - Medium - January 26, 2023

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Directory traversal

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they

CVE-2023-24450 6.5 - Medium - January 26, 2023

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Cleartext Storage of Sensitive Information

A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier

CVE-2023-24452 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

Session Riding

A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier

CVE-2023-24453 6.5 - Medium - January 26, 2023

A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

AuthZ

Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it

CVE-2023-24454 5.5 - Medium - January 26, 2023

Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Cleartext Storage of Sensitive Information

Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation

CVE-2023-24455 4.3 - Medium - January 26, 2023

Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Directory traversal

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456 9.8 - Critical - January 26, 2023

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

Session Fixation

A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier

CVE-2023-24457 6.5 - Medium - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account.

Session Riding

A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier

CVE-2023-24458 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified URL.

Session Riding

A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier

CVE-2023-24459 6.5 - Medium - January 26, 2023

A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

AuthZ

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier

CVE-2023-24435 6.5 - Medium - January 26, 2023

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier

CVE-2022-46688 6.5 - Medium - December 12, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Session Riding

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-46682 9.8 - Critical - December 12, 2022

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines

CVE-2022-46683 6.1 - Medium - December 12, 2022

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

Open Redirect

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned

CVE-2022-46684 5.4 - Medium - December 12, 2022

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.

XSS

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages

CVE-2022-46686 5.4 - Medium - December 12, 2022

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

XSS

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view

CVE-2022-46687 5.4 - Medium - December 12, 2022

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

XSS

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45395 9.8 - Critical - November 15, 2022

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45396 9.8 - Critical - November 15, 2022

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45397 9.8 - Critical - November 15, 2022

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45400 9.8 - Critical - November 15, 2022

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.

CVE-2022-38666 7.5 - High - November 15, 2022

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.

Improper Certificate Validation

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script

CVE-2022-45379 7.5 - High - November 15, 2022

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

Inadequate Encryption Strength

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner

CVE-2022-45380 5.4 - Medium - November 15, 2022

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library

CVE-2022-45381 8.1 - High - November 15, 2022

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

Directory traversal

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds

CVE-2022-45382 5.4 - Medium - November 15, 2022

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

XSS

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier

CVE-2022-45383 6.5 - Medium - November 15, 2022

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.

AuthZ

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it

CVE-2022-45384 6.5 - Medium - November 15, 2022

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Insufficiently Protected Credentials

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier

CVE-2022-45385 7.5 - High - November 15, 2022

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

AuthZ

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45386 5.5 - Medium - November 15, 2022

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint

CVE-2022-45388 7.5 - High - November 15, 2022

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

Directory traversal

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier

CVE-2022-45389 5.3 - Medium - November 15, 2022

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

AuthZ

A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier

CVE-2022-45390 4.3 - Medium - November 15, 2022

A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

CVE-2022-45391 7.5 - High - November 15, 2022

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

Improper Certificate Validation

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they

CVE-2022-45392 6.5 - Medium - November 15, 2022

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

Unprotected Storage of Credentials

A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier

CVE-2022-45393 3.5 - Low - November 15, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.

Session Riding

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier

CVE-2022-45394 4.3 - Medium - November 15, 2022

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier

CVE-2022-45398 4.3 - Medium - November 15, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

Session Riding

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier

CVE-2022-45399 4.3 - Medium - November 15, 2022

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

AuthZ

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files

CVE-2022-45401 5.4 - Medium - November 15, 2022

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI

CVE-2022-45387 5.4 - Medium - November 15, 2022

Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.

XSS

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints

CVE-2022-43427 4.3 - Medium - October 19, 2022

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially

CVE-2022-43412 5.3 - Medium - October 19, 2022

Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

Side Channel Attack

Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially

CVE-2022-43411 5.3 - Medium - October 19, 2022

Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

Side Channel Attack

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier

CVE-2022-43401 9.9 - Critical - October 19, 2022

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier

CVE-2022-43421 5.3 - Medium - October 19, 2022

A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value.

AuthZ

Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned

CVE-2022-43420 5.4 - Medium - October 19, 2022

Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.

XSS

Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they

CVE-2022-43419 6.5 - Medium - October 19, 2022

Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Insufficiently Protected Credentials

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier

CVE-2022-43418 4.3 - Medium - October 19, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints

CVE-2022-43417 4.3 - Medium - October 19, 2022

Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-43415 7.5 - High - October 19, 2022

Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message

CVE-2022-43414 5.3 - Medium - October 19, 2022

Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller.

Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint

CVE-2022-43413 4.3 - Medium - October 19, 2022

Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier

CVE-2022-43404 9.9 - Critical - October 19, 2022

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier

CVE-2022-43403 9.9 - Critical - October 19, 2022

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier

CVE-2022-43402 9.9 - Critical - October 19, 2022

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs

CVE-2022-43409 5.4 - Medium - October 19, 2022

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.

XSS

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs

CVE-2022-43407 8.8 - High - October 19, 2022

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.

Inappropriate Encoding for Output Context

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs

CVE-2022-43408 6.5 - Medium - October 19, 2022

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

Inappropriate Encoding for Output Context

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier

CVE-2022-43405 9.9 - Critical - October 19, 2022

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint

CVE-2022-43431 4.3 - Medium - October 19, 2022

Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-43430 7.5 - High - October 19, 2022

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field

CVE-2022-43426 5.3 - Medium - October 19, 2022

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Missing Password Field Masking

Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters

CVE-2022-43425 5.4 - Medium - October 19, 2022

Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces

CVE-2022-43433 4.3 - Medium - October 19, 2022

Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Protection Mechanism Failure

Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces

CVE-2022-43432 4.3 - Medium - October 19, 2022

Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces

CVE-2022-43435 5.3 - Medium - October 19, 2022

Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Jenkins NeuVector Vulnerability S

CVE-2022-43434 5.3 - Medium - October 19, 2022

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Protection Mechanism Failure

A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier

CVE-2022-43406 9.9 - Critical - October 19, 2022

A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about

CVE-2022-43410 5.3 - Medium - October 19, 2022

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.

Information Disclosure

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they

CVE-2022-41247 4.3 - Medium - September 21, 2022

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause

CVE-2022-41239 5.4 - Medium - September 21, 2022

Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

XSS

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI

CVE-2022-41224 5.4 - Medium - September 21, 2022

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

XSS

Jenkins Anchore Container Image S

CVE-2022-41225 5.4 - Medium - September 21, 2022

Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

XSS

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-41226 9.8 - Critical - September 21, 2022

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier

CVE-2022-41227 8.8 - High - September 21, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials.

Session Riding

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier

CVE-2022-41228 8.8 - High - September 21, 2022

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials.

AuthZ

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step

CVE-2022-41229 5.4 - Medium - September 21, 2022

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier

CVE-2022-41242 5.4 - Medium - September 21, 2022

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

AuthZ

A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier

CVE-2022-41246 6.5 - Medium - September 21, 2022

A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier

CVE-2022-41245 8.8 - High - September 21, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server

CVE-2022-41244 8.1 - High - September 21, 2022

Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

Improper Validation of Certificate with Host Mismatch

Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server

CVE-2022-41243 8.1 - High - September 21, 2022

Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

Improper Validation of Certificate with Host Mismatch

A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier

CVE-2022-41232 8 - High - September 21, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.

Session Riding

Jenkins Build-Publisher Plugin 1.22 and earlier

CVE-2022-41231 5.7 - Medium - September 21, 2022

Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Directory traversal

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.