Jenkins Jenkins CI / CD Server

Advisory	Title	Published
	Jenkins Security Advisory 2023-05-16	May 16, 2023
	Jenkins Security Advisory 2023-04-12	April 12, 2023
	Jenkins Security Advisory 2023-03-21	March 22, 2023
	Jenkins Security Advisory 2023-03-08	March 10, 2023
	Jenkins Security Advisory 2023-02-15	February 15, 2023
	Jenkins Security Advisory 2023-01-24	January 26, 2023
	Jenkins Security Advisory 2022-12-07	December 12, 2022
	Jenkins Security Advisory 2022-11-15	November 15, 2022
	Jenkins Security Advisory 2022-10-19	October 19, 2022
	Jenkins Security Advisory 2022-09-21	September 21, 2022

Known Exploited Jenkins Vulnerabilities

The following Jenkins vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Jenkins User Interface (UI) Information Disclosure Vulnerability	Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages. CVE-2015-5317	May 12, 2023
Jenkins Script Security Plugin Sandbox Bypass Vulnerability	Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. CVE-2019-1003029	April 25, 2022
Jenkins Matrix Project Plugin Remote Code Execution Vulnerability	Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. CVE-2019-1003030	March 25, 2022
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability	A code execution vulnerability exists in the Stapler web framework used by Jenkins CVE-2018-1000861	February 10, 2022

By the Year

In 2023 there have been 131 vulnerabilities in Jenkins with an average score of 6.5 out of ten. Last year Jenkins had 381 security vulnerabilities published. Right now, Jenkins is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.30.

Year	Vulnerabilities	Average Score
2023	131	6.46
2022	381	6.16
2021	102	6.50
2020	173	6.09
2019	341	6.88
2018	120	6.45

It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Jenkins Security Vulnerabilities

A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier

CVE-2023-2195 3.5 - Low - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL.

Session Riding

A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier

CVE-2023-2631 4.3 - Medium - May 16, 2023

A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Session Riding

A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier

CVE-2023-2196 4.3 - Medium - May 16, 2023

A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

Directory traversal

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they

CVE-2023-2632 4.3 - Medium - May 16, 2023

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form

CVE-2023-2633 4.3 - Medium - May 16, 2023

Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

Insufficiently Protected Credentials

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier

CVE-2023-32996 4.3 - Medium - May 16, 2023

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.

Incorrect Default Permissions

A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier

CVE-2023-32999 4.3 - Medium - May 16, 2023

A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Incorrect Default Permissions

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form

CVE-2023-33000 7.5 - High - May 16, 2023

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.

Insufficiently Protected Credentials

Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata

CVE-2023-32994 3.7 - Low - May 16, 2023

Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Improper Certificate Validation

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.

CVE-2023-32997 8.8 - High - May 16, 2023

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.

Session Fixation

A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier

CVE-2023-32998 8.8 - High - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Session Riding

A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier

CVE-2023-33006 5.4 - Medium - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account.

Session Riding

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier

CVE-2023-32990 6.5 - Medium - May 16, 2023

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Incorrect Permission Assignment for Critical Resource

A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier

CVE-2023-32991 8.8 - High - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

Session Riding

Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier

CVE-2023-32992 8.8 - High - May 16, 2023

Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

Incorrect Permission Assignment for Critical Resource

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata

CVE-2023-32993 4.8 - Medium - May 16, 2023

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Insufficient Verification of Data Authenticity

A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier

CVE-2023-32995 8.8 - High - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.

Session Riding

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e

CVE-2023-33001 7.5 - High - May 16, 2023

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Insertion of Sensitive Information into Log File

Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name

CVE-2023-33002 5.4 - Medium - May 16, 2023

Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier

CVE-2023-33003 4.3 - Medium - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers to reset profiler statistics.

Session Riding

A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier

CVE-2023-33004 4.3 - Medium - May 16, 2023

A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers with Overall/Read permission to reset profiler statistics.

Incorrect Permission Assignment for Critical Resource

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

CVE-2023-33005 5.4 - Medium - May 16, 2023

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

Insufficient Session Expiration

Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name

CVE-2023-33007 5.4 - Medium - May 16, 2023

Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins Pipeline: Job Plugin does not escape the display name of the build

CVE-2023-32977 5.4 - Medium - May 16, 2023

Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin

CVE-2023-32978 4.3 - Medium - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

Session Riding

Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation

CVE-2023-32979 4.3 - Medium - May 16, 2023

Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.

Incorrect Permission Assignment for Critical Resource

A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin

CVE-2023-32980 4.3 - Medium - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.

Session Riding

An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier

CVE-2023-32981 9.8 - Critical - May 16, 2023

An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.

Memory Corruption

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they

CVE-2023-32982 4.3 - Medium - May 16, 2023

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Missing Encryption of Sensitive Data

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form

CVE-2023-32983 5.3 - Medium - May 16, 2023

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.

Cleartext Storage of Sensitive Information

Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values

CVE-2023-32984 5.4 - Medium - May 16, 2023

Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file.

XSS

Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation

CVE-2023-32985 4.3 - Medium - May 16, 2023

Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Directory traversal

Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters

CVE-2023-32986 8.8 - High - May 16, 2023

Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Incorrect Permission Assignment for Critical Resource

A cross-site request forgery (CSRF) vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier

CVE-2023-32987 8.8 - High - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

Session Riding

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier

CVE-2023-32988 4.3 - Medium - May 16, 2023

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Insufficiently Protected Credentials

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier

CVE-2023-32989 8.8 - High - May 16, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Session Riding

Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e

CVE-2023-30513 7.5 - High - April 12, 2023

Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Cleartext Transmission of Sensitive Information

Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e

CVE-2023-30514 7.5 - High - April 12, 2023

Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Cleartext Transmission of Sensitive Information

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e

CVE-2023-30515 7.5 - High - April 12, 2023

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Cleartext Transmission of Sensitive Information

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters

CVE-2023-30516 6.5 - Medium - April 12, 2023

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation disabled by default.

Improper Certificate Validation

Jenkins NeuVector Vulnerability S

CVE-2023-30517 5.3 - Medium - April 12, 2023

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

Improper Certificate Validation

Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted

CVE-2023-30520 5.4 - Medium - April 12, 2023

Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads.

XSS

A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier

CVE-2023-30532 6.5 - Medium - April 12, 2023

A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

AuthZ

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it

CVE-2023-30530 4.3 - Medium - April 12, 2023

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Cleartext Storage of Sensitive Information

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form

CVE-2023-30531 6.5 - Medium - April 12, 2023

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

Cleartext Storage of Sensitive Information

A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier

CVE-2023-30518 4.3 - Medium - April 12, 2023

A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier

CVE-2023-30519 5.3 - Medium - April 12, 2023

A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

AuthZ

A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier

CVE-2023-30521 5.3 - Medium - April 12, 2023

A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

AuthZ

A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier

CVE-2023-30522 4.3 - Medium - April 12, 2023

A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.

AuthZ

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they

CVE-2023-30523 4.3 - Medium - April 12, 2023

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Cleartext Storage of Sensitive Information

Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form

CVE-2023-30524 4.3 - Medium - April 12, 2023

Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them.

A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier

CVE-2023-30525 8.8 - High - April 12, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication.

Session Riding

A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier

CVE-2023-30526 6.5 - Medium - April 12, 2023

A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

AuthZ

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it

CVE-2023-30527 4.3 - Medium - April 12, 2023

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Cleartext Storage of Sensitive Information

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form

CVE-2023-30528 6.5 - Medium - April 12, 2023

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

Cleartext Storage of Sensitive Information

Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint

CVE-2023-30529 4.3 - Medium - April 12, 2023

Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database.

Session Riding

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration

CVE-2023-28677 9.8 - Critical - April 02, 2023

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.

Command Injection

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28681 8.2 - High - April 02, 2023

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28682 8.2 - High - April 02, 2023

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28683 8.2 - High - April 02, 2023

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28684 6.5 - Medium - April 02, 2023

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier

CVE-2023-28673 4.3 - Medium - April 02, 2023

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier

CVE-2023-28674 8.8 - High - April 02, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

Session Riding

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier

CVE-2023-28675 4.3 - Medium - April 02, 2023

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier

CVE-2023-28676 8.8 - High - April 02, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).

Session Riding

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names

CVE-2023-28678 5.4 - Medium - April 02, 2023

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

XSS

Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature

CVE-2023-28679 5.4 - Medium - April 02, 2023

Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

XSS

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28680 7.5 - High - April 02, 2023

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript

CVE-2023-28670 5.4 - Medium - April 02, 2023

Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier

CVE-2023-28671 4.3 - Medium - April 02, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint

CVE-2023-28672 6.5 - Medium - April 02, 2023

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

CVE-2023-28668 9.8 - Critical - April 02, 2023

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

Improper Preservation of Permissions

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI

CVE-2023-28669 5.4 - Medium - April 02, 2023

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

XSS

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28685 7.1 - High - March 22, 2023

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which

CVE-2023-27902 4.3 - Medium - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.

Jenkins 2.270 through 2.393 (both inclusive)

CVE-2023-27898 9.6 - Critical - March 10, 2023

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

XSS

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially

CVE-2023-27899 7 - High - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.

AuthZ

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser

CVE-2023-27900 7.5 - High - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.

Allocation of Resources Without Limits or Throttling

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl

CVE-2023-27901 7.5 - High - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.

Allocation of Resources Without Limits or Throttling

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially

CVE-2023-27903 4.4 - Medium - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

AuthZ

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration

CVE-2023-27904 5.3 - Medium - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization

CVE-2023-27905 9.6 - Critical - March 10, 2023

Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.

XSS

A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier

CVE-2023-23850 4.3 - Medium - February 15, 2023

A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Incorrect Default Permissions

Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier

CVE-2023-23848 4.3 - Medium - February 15, 2023

Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Incorrect Default Permissions

A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier

CVE-2023-23847 3.5 - Low - February 15, 2023

A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier

CVE-2023-25766 4.3 - Medium - February 15, 2023

A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection

CVE-2023-25765 9.9 - Critical - February 15, 2023

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

Jenkins Email Extension Plugin 2.93 and earlier does not escape

CVE-2023-25764 5.4 - Medium - February 15, 2023

Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

XSS

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator

CVE-2023-25762 5.4 - Medium - February 15, 2023

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

XSS

Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates

CVE-2023-25763 5.4 - Medium - February 15, 2023

Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier

CVE-2023-25767 8.8 - High - February 15, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server.

Session Riding

A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier

CVE-2023-25768 6.5 - Medium - February 15, 2023

A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.

AuthZ

Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions

CVE-2023-25761 5.4 - Medium - February 15, 2023

Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.

XSS

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation

CVE-2023-24449 4.3 - Medium - January 26, 2023

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Directory traversal

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-24441 9.8 - Critical - January 26, 2023

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier

CVE-2023-24448 6.5 - Medium - January 26, 2023

A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier

CVE-2023-24447 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

Session Riding

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier

CVE-2023-24446 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

Session Riding

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-24443 9.8 - Critical - January 26, 2023

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier

CVE-2023-24437 8.8 - High - January 26, 2023

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins Jenkins CI / CD Server

Products by Jenkins Sorted by Most Security Vulnerabilities since 2018

Jenkins129 vulnerabilitiesContinuous Integration Engine

Jenkins Pipeline30 vulnerabilities

Jenkins Script Security25 vulnerabilities

Jenkins Git12 vulnerabilities

Jenkins Configuration As Code9 vulnerabilities

Jenkins Email Extension8 vulnerabilities

Jenkins Ns Nd Integration Performance Publisher8 vulnerabilities

Jenkins Blue Ocean8 vulnerabilities

Jenkins Active Directory7 vulnerabilities

Jenkins Openshift Deployer7 vulnerabilities

Jenkins Rundeck7 vulnerabilities

Jenkins Config File Provider7 vulnerabilities

Jenkins Kubernetes7 vulnerabilities

Jenkins Mercurial7 vulnerabilities

Jenkins Amazon Ec26 vulnerabilities

Jenkins Github Pull Request Builder6 vulnerabilities

Jenkins Project Inheritance6 vulnerabilities

Jenkins Repository Connector6 vulnerabilities

Jenkins Warnings Next Generation6 vulnerabilities

Jenkins Subversion6 vulnerabilities

Jenkins Xebialabs Xl Deploy6 vulnerabilities

Jenkins Gerrit Trigger6 vulnerabilities

Jenkins Azure Vm Agents6 vulnerabilities

Jenkins Saml Single Sign On6 vulnerabilities

Jenkins Electricflow6 vulnerabilities

Jenkins Credentials Binding5 vulnerabilities

Jenkins Openid5 vulnerabilities

Jenkins Gitlab5 vulnerabilities

Jenkins Support Core5 vulnerabilities

Jenkins Extended Choice Parameter5 vulnerabilities

Jenkins Promoted Builds5 vulnerabilities

Jenkins Pipeline Maven Integration5 vulnerabilities

Jenkins Publish Over Ssh5 vulnerabilities

Jenkins Websphere Deployer5 vulnerabilities

Jenkins Job And Node Ownership5 vulnerabilities

Jenkins Junit5 vulnerabilities

Jenkins Deployment Dashboard5 vulnerabilities

Jenkins Chef Sinatra5 vulnerabilities

Jenkins Hashicorp Vault5 vulnerabilities

Jenkins Octoperf Load Testing5 vulnerabilities

Jenkins Code Dx5 vulnerabilities

Jenkins Crx Content Package Deployer4 vulnerabilities

Jenkins Active Choices4 vulnerabilities

Jenkins Job Import4 vulnerabilities

Jenkins Rapiddeploy4 vulnerabilities

Jenkins Cons3rt4 vulnerabilities

Jenkins Ansible4 vulnerabilities

Jenkins Matrix Project4 vulnerabilities

Jenkins P44 vulnerabilities

Jenkins Github4 vulnerabilities

Jenkins Kubernetes Ci4 vulnerabilities

Jenkins Requests4 vulnerabilities

Jenkins Liquibase Runner4 vulnerabilities

Jenkins Azure Ad4 vulnerabilities

Jenkins Google Login4 vulnerabilities

Jenkins Git Parameter4 vulnerabilities

Jenkins Fortify On Demand4 vulnerabilities

Jenkins S3 Publisher4 vulnerabilities

Jenkins Proxmox4 vulnerabilities

Jenkins Convertigo Mobile Platform4 vulnerabilities

Jenkins Jira Pipeline Steps4 vulnerabilities

Jenkins Google Compute Engine4 vulnerabilities

Jenkins Build Failure Analyzer4 vulnerabilities

Jenkins Coverity4 vulnerabilities

Jenkins Vmware Lab Manager Slaves4 vulnerabilities

Jenkins Wso2 Oauth4 vulnerabilities

Jenkins Mailer4 vulnerabilities

Jenkins Report Portal4 vulnerabilities

Jenkins Embeddable Build Status4 vulnerabilities

Jenkins Repo4 vulnerabilities

Jenkins Ftp Publisher3 vulnerabilities

Jenkins Dotci3 vulnerabilities

Jenkins Pipeline Github Notify Step3 vulnerabilities

Jenkins Deployer Framework3 vulnerabilities

Jenkins129 vulnerabilities
Continuous Integration Engine