Jenkins Jenkins Jenkins CI / CD Server

Do you want an email whenever new security vulnerabilities are reported in any Jenkins product?

Products by Jenkins Sorted by Most Security Vulnerabilities since 2018

Jenkins98 vulnerabilities
Continuous Integration Engine

Jenkins Script Security19 vulnerabilities

Jenkins Pipeline8 vulnerabilities

Jenkins Active Directory7 vulnerabilities

Jenkins Amazon Ec26 vulnerabilities

Jenkins Kubernetes6 vulnerabilities

Jenkins Electricflow6 vulnerabilities

Jenkins Config File Provider6 vulnerabilities

Jenkins Xebialabs Xl Deploy6 vulnerabilities

Jenkins Publish Over Ssh5 vulnerabilities

Jenkins Git5 vulnerabilities

Jenkins Websphere Deployer5 vulnerabilities

Jenkins Blue Ocean5 vulnerabilities

Jenkins Project Inheritance5 vulnerabilities

Jenkins Credentials Binding5 vulnerabilities

Jenkins Fortify On Demand4 vulnerabilities

Jenkins Active Choices4 vulnerabilities

Jenkins Matrix Project4 vulnerabilities

Jenkins P44 vulnerabilities

Jenkins Subversion4 vulnerabilities

Jenkins Rapiddeploy4 vulnerabilities

Jenkins S3 Publisher4 vulnerabilities

Jenkins Gerrit Trigger4 vulnerabilities

Jenkins Rundeck4 vulnerabilities

Jenkins Liquibase Runner4 vulnerabilities

Jenkins Mailer4 vulnerabilities

Jenkins Kubernetes Ci4 vulnerabilities

Jenkins Icescrum3 vulnerabilities

Jenkins Email Extension3 vulnerabilities

Jenkins Ansible Tower3 vulnerabilities

Jenkins Support Core3 vulnerabilities

Jenkins Audit To Database3 vulnerabilities

Jenkins Audit Trail3 vulnerabilities

Jenkins Openshift Deployer3 vulnerabilities

Jenkins Tracetronic Ecu Test3 vulnerabilities

Jenkins Warnings3 vulnerabilities

Jenkins Soasta Cloudtest3 vulnerabilities

Jenkins Azure Ad3 vulnerabilities

Jenkins Docker3 vulnerabilities

Jenkins Azure Vm Agents3 vulnerabilities

Jenkins Kmap3 vulnerabilities

Jenkins Ftp Publisher3 vulnerabilities

Jenkins Mercurial3 vulnerabilities

Jenkins Black Duck Hub3 vulnerabilities

Jenkins Nomad3 vulnerabilities

Jenkins Maven3 vulnerabilities

Jenkins Mac3 vulnerabilities

Jenkins Repository Connector3 vulnerabilities

Jenkins Scriptler3 vulnerabilities

Jenkins Git Parameter3 vulnerabilities

Jenkins Vsphere3 vulnerabilities

Jenkins Github3 vulnerabilities

Jenkins Team Concert3 vulnerabilities

Jenkins Code Coverage Api3 vulnerabilities

Jenkins Requests3 vulnerabilities

Jenkins Job Import3 vulnerabilities

Jenkins Libvirt Slaves3 vulnerabilities

Jenkins Reviewbot2 vulnerabilities

Jenkins Android Lint2 vulnerabilities

Jenkins Ansible2 vulnerabilities

Jenkins Junit2 vulnerabilities

Jenkins Aws Codedeploy2 vulnerabilities

Jenkins Lockable Resources2 vulnerabilities

Jenkins Jira2 vulnerabilities

Jenkins Openid2 vulnerabilities

Jenkins Octopusdeploy2 vulnerabilities

Jenkins Bumblebee Hp Alm2 vulnerabilities

Jenkins Cadence Vmanager2 vulnerabilities

Jenkins M2release2 vulnerabilities

Jenkins Inedo Buildmaster2 vulnerabilities

Jenkins Html Publisher2 vulnerabilities

Jenkins Jclouds2 vulnerabilities

Jenkins Jx Resources2 vulnerabilities

Jenkins Inedo Proget2 vulnerabilities

Jenkins Credentials2 vulnerabilities

Jenkins Kubernetes Pipeline2 vulnerabilities

Jenkins Dashboard View2 vulnerabilities

Recent Jenkins Security Advisories

Advisory Title Published
Jenkins Security Advisory 2022-01-12 January 12, 2022
Jenkins Security Advisory 2021-11-12 November 12, 2021
Jenkins Security Advisory 2021-11-04 November 4, 2021
Jenkins Security Advisory 2021-10-06 October 6, 2021
Jenkins Security Advisory 2021-08-31 August 31, 2021
Jenkins Security Advisory 2021-06-30 June 30, 2021
Jenkins Security Advisory 2021-06-18 June 18, 2021
Jenkins Security Advisory 2021-06-16 June 16, 2021
Jenkins Security Advisory 2021-06-10 June 10, 2021
Jenkins Security Advisory 2021-05-25 May 25, 2021

@jenkinsci Tweets

#jenkinsci is in need of mentors and project ideas for Google Summer of Code 2022. Be a difference maker, become a… https://t.co/BjryovNuJw
Fri Jan 21 15:13:00 +0000 2022

RT @AnInfinite: @kuisathaverat and myself will be talking about #OpenTelemetry and the #CICD . If you are curious about this, check out the…
Wed Jan 19 23:07:08 +0000 2022

RT @OctopusDeploy: Learn how to install @jenkinsci with the traditional installers on #Windows and #Linux. ✨ Read on: https://t.co/KJsMNZn…
Tue Jan 18 20:37:58 +0000 2022

RT @0lblak: When we need activity to keep the kid busy while school is closed due to covid @jenkinsci https://t.co/W4WXFdTBlT
Tue Jan 18 12:55:35 +0000 2022

RT @tracymiranda: ��NEWS! I’m wrapping up things at CDF/LF to take on a new adventure in 2022 (more on that next week). It has been a privi…
Mon Jan 17 12:27:18 +0000 2022

By the Year

In 2022 there have been 24 vulnerabilities in Jenkins with an average score of 5.7 out of ten. Last year Jenkins had 101 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Jenkins in 2022 could surpass last years number. Last year, the average CVE base score was greater by 0.79

Year Vulnerabilities Average Score
2022 24 5.70
2021 101 6.49
2020 172 6.08
2019 340 6.91
2018 119 6.46

It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Jenkins Security Vulnerabilities

A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier

CVE-2022-20618 4.3 - Medium - January 12, 2022

A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

Incorrect Permission Assignment for Critical Resource

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier

CVE-2022-20619 7.1 - High - January 12, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability

CVE-2022-23113 4.3 - Medium - January 12, 2022

Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

Directory traversal

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality

CVE-2022-23117 7.5 - High - January 12, 2022

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.

Improper Privilege Management

Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality

CVE-2022-23118 8.8 - High - January 12, 2022

Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.

Improper Privilege Management

A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier

CVE-2022-20613 4.3 - Medium - January 12, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Session Riding

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it

CVE-2022-20621 5.5 - Medium - January 12, 2022

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

CVE-2022-23105 6.5 - Medium - January 12, 2022

Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

Cleartext Transmission of Sensitive Information

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token

CVE-2022-23106 5.3 - Medium - January 12, 2022

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

Side Channel Attack

Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID

CVE-2022-23107 8.1 - High - January 12, 2022

Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Directory traversal

Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for

CVE-2022-23108 5.4 - Medium - January 12, 2022

Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

CVE-2022-23109 6.5 - Medium - January 12, 2022

Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

Insufficiently Protected Credentials

Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name

CVE-2022-23110 4.8 - Medium - January 12, 2022

Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier

CVE-2022-23111 4.3 - Medium - January 12, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

Session Riding

A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier

CVE-2022-23112 6.5 - Medium - January 12, 2022

A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

AuthZ

Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it

CVE-2022-23114 3.3 - Low - January 12, 2022

Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier

CVE-2022-23115 5.4 - Medium - January 12, 2022

Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task.

Session Riding

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality

CVE-2022-23116 7.5 - High - January 12, 2022

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

Missing Encryption of Sensitive Data

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier

CVE-2022-20614 4.3 - Medium - January 12, 2022

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Incorrect Permission Assignment for Critical Resource

Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names

CVE-2022-20615 5.4 - Medium - January 12, 2022

Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

XSS

Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag

CVE-2022-20617 8.8 - High - January 12, 2022

Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository.

Shell injection

Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier

CVE-2022-20620 4.3 - Medium - January 12, 2022

Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

Exposure of Resource to Wrong Sphere

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier

CVE-2022-20612 4.3 - Medium - January 12, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.

Session Riding

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation

CVE-2022-20616 4.3 - Medium - January 12, 2022

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

Incorrect Permission Assignment for Critical Resource

Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters

CVE-2021-21699 5.4 - Medium - November 12, 2021

Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion

CVE-2021-21700 5.4 - Medium - November 12, 2021

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

XSS

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21701 6.5 - Medium - November 12, 2021

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file

CVE-2021-43576 6.5 - Medium - November 12, 2021

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

XXE

Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-43577 7.1 - High - November 12, 2021

Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message

CVE-2021-43578 8.1 - High - November 12, 2021

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

Protection Mechanism Failure

Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier

CVE-2021-21691 9.8 - Critical - November 04, 2021

Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

AuthZ

FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier

CVE-2021-21692 9.8 - Critical - November 04, 2021

FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.

AuthZ

When creating temporary files

CVE-2021-21693 9.8 - Critical - November 04, 2021

When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

AuthZ

FilePath#toURI

CVE-2021-21694 9.8 - Critical - November 04, 2021

FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

AuthZ

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier

CVE-2021-21690 9.8 - Critical - November 04, 2021

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Protection Mechanism Failure

FilePath#listFiles lists files outside directories

CVE-2021-21695 8.8 - High - November 04, 2021

FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

AuthZ

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs

CVE-2021-21696 9.8 - Critical - November 04, 2021

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.

Protection Mechanism Failure

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier

CVE-2021-21697 9.1 - Critical - November 04, 2021

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Denylist / Deny List

Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller

CVE-2021-21698 7.5 - High - November 04, 2021

Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

Directory traversal

Jenkins 2.318 and earlier

CVE-2021-21687 9.1 - Critical - November 04, 2021

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.

AuthZ

FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier

CVE-2021-21689 9.1 - Critical - November 04, 2021

FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

AuthZ

Jenkins 2.318 and earlier

CVE-2021-21685 9.1 - Critical - November 04, 2021

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.

AuthZ

File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths

CVE-2021-21686 8.1 - High - November 04, 2021

File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.

insecure temporary file

The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations

CVE-2021-21688 7.5 - High - November 04, 2021

The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).

AuthZ

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause

CVE-2021-21684 6.1 - Medium - October 06, 2021

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

XSS

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes

CVE-2021-21677 8.8 - High - August 31, 2021

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs

CVE-2021-21678 8.8 - High - August 31, 2021

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

Protection Mechanism Failure

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs

CVE-2021-21679 8.8 - High - August 31, 2021

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

Protection Mechanism Failure

Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they

CVE-2021-21681 5.5 - Medium - August 31, 2021

Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

CVE-2021-21680 7.1 - High - August 31, 2021

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

XXE

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier

CVE-2021-21675 6.5 - Medium - June 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.

Session Riding

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier

CVE-2021-21674 4.3 - Medium - June 30, 2021

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

AuthZ

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21676 4.3 - Medium - June 30, 2021

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.

AuthZ

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21672 4.3 - Medium - June 30, 2021

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins CAS Plugin 1.6.0 and earlier improperly determines

CVE-2021-21673 6.1 - Medium - June 30, 2021

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

Open Redirect

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier

CVE-2021-21670 4.3 - Medium - June 30, 2021

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

AuthZ

Jenkins 2.299 and earlier

CVE-2021-21671 7.5 - High - June 30, 2021

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

Session Fixation

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21669 9.8 - Critical - June 18, 2021

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Scriptler Plugin 3.1 and earlier does not escape script content

CVE-2021-21668 5.4 - Medium - June 16, 2021

Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

XSS

Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms

CVE-2021-21667 5.4 - Medium - June 16, 2021

Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

XSS

Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint

CVE-2021-21666 6.1 - Medium - June 10, 2021

Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

XSS

Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints

CVE-2021-21661 4.3 - Medium - June 10, 2021

Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier

CVE-2021-21665 8 - High - June 10, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

Session Riding

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier

CVE-2021-21664 6.5 - Medium - June 10, 2021

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier

CVE-2021-21663 4.3 - Medium - June 10, 2021

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier

CVE-2021-21662 4.3 - Medium - June 10, 2021

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

AuthZ

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21659 8.1 - High - May 25, 2021

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs

CVE-2021-21660 5.4 - Medium - May 25, 2021

Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.

XSS

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21658 9.1 - Critical - May 25, 2021

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21657 8.8 - High - May 25, 2021

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier

CVE-2021-21655 7.1 - High - May 11, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.

Session Riding

Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints

CVE-2021-21654 4.3 - Medium - May 11, 2021

Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.

AuthZ

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21656 7.1 - High - May 11, 2021

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models

CVE-2021-21650 4.3 - Medium - May 11, 2021

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.

AuthZ

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21651 4.3 - Medium - May 11, 2021

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier

CVE-2021-21652 7.1 - High - May 11, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides

CVE-2021-21648 6.1 - Medium - May 11, 2021

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.

XSS

Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets

CVE-2021-21649 5.4 - Medium - May 11, 2021

Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

XSS

Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21653 4.3 - Medium - May 11, 2021

Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints

CVE-2021-21645 4.3 - Medium - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.

AuthZ

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin

CVE-2021-21646 8.8 - High - April 21, 2021

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier

CVE-2021-21644 5.4 - Medium - April 21, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

Session Riding

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21647 4.3 - Medium - April 21, 2021

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

AuthZ

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints

CVE-2021-21643 6.5 - Medium - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21642 8.1 - High - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check

CVE-2021-21640 4.3 - Medium - April 07, 2021

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.

Improper Handling of Inconsistent Structural Elements

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node

CVE-2021-21639 4.3 - Medium - April 07, 2021

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

Improper Input Validation

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier

CVE-2021-21641 4.3 - Medium - April 07, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.

Session Riding

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier

CVE-2021-21629 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

Session Riding

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions

CVE-2021-21628 5.4 - Medium - March 30, 2021

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column

CVE-2021-21630 5.4 - Medium - March 30, 2021

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21631 4.3 - Medium - March 30, 2021

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

AuthZ

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier

CVE-2021-21632 6.5 - Medium - March 30, 2021

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier

CVE-2021-21633 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

Session Riding

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21634 6.5 - Medium - March 30, 2021

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript

CVE-2021-21635 5.4 - Medium - March 30, 2021

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21637 6.5 - Medium - March 30, 2021

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21636 4.3 - Medium - March 30, 2021

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21638 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints

CVE-2021-21625 4.3 - Medium - March 18, 2021

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

AuthZ

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.