Jenkins Jenkins Jenkins CI / CD Server

Do you want an email whenever new security vulnerabilities are reported in any Jenkins product?

Products by Jenkins Sorted by Most Security Vulnerabilities since 2018

Jenkins84 vulnerabilities
Continuous Integration Engine

Jenkins Script Security19 vulnerabilities

Jenkins Pipeline8 vulnerabilities

Jenkins Active Directory6 vulnerabilities

Jenkins Amazon Ec26 vulnerabilities

Jenkins Xebialabs Xl Deploy6 vulnerabilities

Jenkins Electricflow6 vulnerabilities

Jenkins Kubernetes6 vulnerabilities

Jenkins Config File Provider6 vulnerabilities

Jenkins Blue Ocean5 vulnerabilities

Jenkins Project Inheritance5 vulnerabilities

Jenkins Git5 vulnerabilities

Jenkins Websphere Deployer5 vulnerabilities

Jenkins Rapiddeploy4 vulnerabilities

Jenkins P44 vulnerabilities

Jenkins Gerrit Trigger4 vulnerabilities

Jenkins Rundeck4 vulnerabilities

Jenkins S3 Publisher4 vulnerabilities

Jenkins Fortify On Demand4 vulnerabilities

Jenkins Liquibase Runner4 vulnerabilities

Jenkins Credentials Binding4 vulnerabilities

Jenkins Kubernetes Ci4 vulnerabilities

Jenkins Ftp Publisher3 vulnerabilities

Jenkins Active Choices3 vulnerabilities

Jenkins Subversion3 vulnerabilities

Jenkins Openshift Deployer3 vulnerabilities

Jenkins Ansible Tower3 vulnerabilities

Jenkins Email Extension3 vulnerabilities

Jenkins Warnings3 vulnerabilities

Jenkins Support Core3 vulnerabilities

Jenkins Matrix Project3 vulnerabilities

Jenkins Audit To Database3 vulnerabilities

Jenkins Audit Trail3 vulnerabilities

Jenkins Github3 vulnerabilities

Jenkins Azure Ad3 vulnerabilities

Jenkins Tracetronic Ecu Test3 vulnerabilities

Jenkins Azure Vm Agents3 vulnerabilities

Jenkins Kmap3 vulnerabilities

Jenkins Soasta Cloudtest3 vulnerabilities

Jenkins Nomad3 vulnerabilities

Jenkins Black Duck Hub3 vulnerabilities

Jenkins Mercurial3 vulnerabilities

Jenkins Maven3 vulnerabilities

Jenkins Git Parameter3 vulnerabilities

Jenkins Repository Connector3 vulnerabilities

Jenkins Vsphere3 vulnerabilities

Jenkins Team Concert3 vulnerabilities

Jenkins Code Coverage Api3 vulnerabilities

Jenkins Docker3 vulnerabilities

Jenkins Icescrum3 vulnerabilities

Jenkins Libvirt Slaves3 vulnerabilities

Jenkins Job Import3 vulnerabilities

Jenkins Mac3 vulnerabilities

Jenkins Requests3 vulnerabilities

Jenkins Jx Resources2 vulnerabilities

Jenkins Android Lint2 vulnerabilities

Jenkins Ansible2 vulnerabilities

Jenkins Harvest Scm2 vulnerabilities

Jenkins Koji2 vulnerabilities

Jenkins Reviewbot2 vulnerabilities

Jenkins Promoted Builds2 vulnerabilities

Jenkins Aws Codedeploy2 vulnerabilities

Jenkins Octopusdeploy2 vulnerabilities

Jenkins Groovy2 vulnerabilities

Jenkins Html Publisher2 vulnerabilities

Jenkins Openid2 vulnerabilities

Jenkins Bumblebee Hp Alm2 vulnerabilities

Jenkins Cadence Vmanager2 vulnerabilities

Jenkins Mailer2 vulnerabilities

Jenkins Cas2 vulnerabilities

Jenkins Inedo Buildmaster2 vulnerabilities

Jenkins Jira2 vulnerabilities

Jenkins Junit2 vulnerabilities

Jenkins Credentials2 vulnerabilities

Jenkins Dashboard View2 vulnerabilities

Jenkins M2release2 vulnerabilities

Jenkins Lockable Resources2 vulnerabilities

@jenkinsci Tweets

RT @CDeliveryFdn: Going Cloud Native with the Jenkins Kubernetes Operator by @antoniaklja (cc/@jenkinsci @kubernetesio) https://t.co/mC8bE2…
Fri Oct 22 15:10:26 +0000 2021

RT @devopsworldconf: @cyrilleleclerc of @Elastic discusses unprecedented solutions, open-source and commercial, for both @Jenkinsci admins…
Thu Oct 21 11:31:47 +0000 2021

Jenkins 2021 elections are starting soon! We invite all contributors to register for elections as voters. Any contr… https://t.co/vyTnuFItbA
Thu Oct 21 11:00:37 +0000 2021

RT @CDeliveryFdn: Download the latest #JenkinsIsTheWay ebook featuring stories from the Fortune 500: https://t.co/8wxumShgPX cc/@jenkinsci…
Thu Oct 21 09:49:08 +0000 2021

RT @CDeliveryFdn: �� #Hacktoberfest runs until October 31! �� Contribute to open source: https://t.co/cnQZM7H5QE �� Participating CDF projec…
Wed Oct 20 20:29:12 +0000 2021

By the Year

In 2021 there have been 81 vulnerabilities in Jenkins with an average score of 6.0 out of ten. Last year Jenkins had 172 security vulnerabilities published. Right now, Jenkins is on track to have less security vulnerabilities in 2021 than it did last year. Last year, the average CVE base score was greater by 0.03

Year Vulnerabilities Average Score
2021 81 6.04
2020 172 6.08
2019 340 6.91
2018 119 6.46

It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Jenkins Security Vulnerabilities

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause

CVE-2021-21684 6.1 - Medium - October 06, 2021

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

XSS

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

CVE-2021-21680 7.1 - High - August 31, 2021

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

XXE

Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they

CVE-2021-21681 5.5 - Medium - August 31, 2021

Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs

CVE-2021-21679 8.8 - High - August 31, 2021

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

Protection Mechanism Failure

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs

CVE-2021-21678 8.8 - High - August 31, 2021

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

Protection Mechanism Failure

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes

CVE-2021-21677 8.8 - High - August 31, 2021

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins 2.299 and earlier

CVE-2021-21671 7.5 - High - June 30, 2021

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

Session Fixation

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier

CVE-2021-21670 4.3 - Medium - June 30, 2021

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier

CVE-2021-21675 6.5 - Medium - June 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.

Session Riding

Jenkins CAS Plugin 1.6.0 and earlier improperly determines

CVE-2021-21673 6.1 - Medium - June 30, 2021

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

Open Redirect

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21672 4.3 - Medium - June 30, 2021

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21676 4.3 - Medium - June 30, 2021

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.

AuthZ

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier

CVE-2021-21674 4.3 - Medium - June 30, 2021

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

AuthZ

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21669 9.8 - Critical - June 18, 2021

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Scriptler Plugin 3.1 and earlier does not escape script content

CVE-2021-21668 5.4 - Medium - June 16, 2021

Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

XSS

Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms

CVE-2021-21667 5.4 - Medium - June 16, 2021

Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

XSS

Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint

CVE-2021-21666 6.1 - Medium - June 10, 2021

Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

XSS

Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints

CVE-2021-21661 4.3 - Medium - June 10, 2021

Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier

CVE-2021-21665 8 - High - June 10, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

Session Riding

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier

CVE-2021-21664 6.5 - Medium - June 10, 2021

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier

CVE-2021-21663 4.3 - Medium - June 10, 2021

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier

CVE-2021-21662 4.3 - Medium - June 10, 2021

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

AuthZ

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21659 8.1 - High - May 25, 2021

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs

CVE-2021-21660 5.4 - Medium - May 25, 2021

Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.

XSS

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21658 9.1 - Critical - May 25, 2021

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21657 8.8 - High - May 25, 2021

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets

CVE-2021-21649 5.4 - Medium - May 11, 2021

Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

XSS

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides

CVE-2021-21648 6.1 - Medium - May 11, 2021

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier

CVE-2021-21652 7.1 - High - May 11, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21651 4.3 - Medium - May 11, 2021

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.

AuthZ

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models

CVE-2021-21650 4.3 - Medium - May 11, 2021

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.

AuthZ

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21656 7.1 - High - May 11, 2021

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints

CVE-2021-21654 4.3 - Medium - May 11, 2021

Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.

AuthZ

Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21653 4.3 - Medium - May 11, 2021

Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier

CVE-2021-21655 7.1 - High - May 11, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.

Session Riding

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21642 8.1 - High - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints

CVE-2021-21643 6.5 - Medium - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21647 4.3 - Medium - April 21, 2021

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier

CVE-2021-21644 5.4 - Medium - April 21, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

Session Riding

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin

CVE-2021-21646 8.8 - High - April 21, 2021

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Protection Mechanism Failure

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints

CVE-2021-21645 4.3 - Medium - April 21, 2021

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier

CVE-2021-21641 4.3 - Medium - April 07, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.

Session Riding

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node

CVE-2021-21639 4.3 - Medium - April 07, 2021

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

Improper Input Validation

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check

CVE-2021-21640 4.3 - Medium - April 07, 2021

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.

Improper Handling of Inconsistent Structural Elements

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions

CVE-2021-21628 5.4 - Medium - March 30, 2021

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier

CVE-2021-21629 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

Session Riding

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column

CVE-2021-21630 5.4 - Medium - March 30, 2021

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint

CVE-2021-21631 4.3 - Medium - March 30, 2021

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

AuthZ

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier

CVE-2021-21632 6.5 - Medium - March 30, 2021

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier

CVE-2021-21633 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

Session Riding

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21634 6.5 - Medium - March 30, 2021

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript

CVE-2021-21635 5.4 - Medium - March 30, 2021

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21636 4.3 - Medium - March 30, 2021

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21637 6.5 - Medium - March 30, 2021

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier

CVE-2021-21638 8.8 - High - March 30, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Session Riding

An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier

CVE-2021-21623 6.5 - Medium - March 18, 2021

An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

AuthZ

An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier

CVE-2021-21624 4.3 - Medium - March 18, 2021

An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

AuthZ

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints

CVE-2021-21625 4.3 - Medium - March 18, 2021

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

AuthZ

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation

CVE-2021-21626 4.3 - Medium - March 18, 2021

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier

CVE-2021-21627 8.8 - High - March 18, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.

Session Riding

Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values

CVE-2021-21616 4.6 - Medium - February 24, 2021

Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds

CVE-2021-21618 5.4 - Medium - February 24, 2021

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

XSS

Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information

CVE-2021-21621 5.3 - Medium - February 24, 2021

Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.

Information Disclosure

A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier

CVE-2021-21617 8.8 - High - February 24, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.

Session Riding

Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either

CVE-2021-21619 5.4 - Medium - February 24, 2021

Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier

CVE-2021-21620 4.3 - Medium - February 24, 2021

A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.

Session Riding

Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions

CVE-2021-21622 5.4 - Medium - February 24, 2021

Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

XSS

Jenkins 2.275 and LTS 2.263.2

CVE-2021-21615 5.3 - Medium - January 26, 2021

Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

TOCTTOU

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier

CVE-2021-21602 6.5 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

insecure temporary file

Jenkins 2.274 and earlier

CVE-2021-21603 5.4 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

XSS

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor

CVE-2021-21604 8 - High - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Marshaling, Unmarshaling

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names

CVE-2021-21605 8 - High - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

Improper Input Validation

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence

CVE-2021-21606 4.3 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

Improper Input Validation

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs

CVE-2021-21607 6.5 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

Allocation of Resources Without Limits or Throttling

Jenkins 2.274 and earlier

CVE-2021-21608 5.4 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

XSS

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths

CVE-2021-21609 5.3 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

AuthZ

Jenkins 2.274 and earlier

CVE-2021-21610 6.1 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

XSS

Jenkins 2.274 and earlier

CVE-2021-21611 5.4 - Medium - January 13, 2021

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

XSS

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21612 5.5 - Medium - January 13, 2021

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they

CVE-2021-21614 5.5 - Medium - January 13, 2021

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Insufficiently Protected Credentials

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses

CVE-2021-21613 6.1 - Medium - January 13, 2021

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

XSS

Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.

CVE-2020-2320 9.8 - Critical - December 03, 2020

Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.

Download of Code Without Integrity Check

A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier

CVE-2020-2321 8.1 - High - December 03, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.

Session Riding

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2324 7.5 - High - December 03, 2020

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Active Directory Plugin 2.19 and earlier

CVE-2020-2299 9.8 - Critical - November 04, 2020

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password.

authentification

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which

CVE-2020-2300 9.8 - Critical - November 04, 2020

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.

authentification

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of

CVE-2020-2301 9.8 - Critical - November 04, 2020

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode.

authentification

A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier

CVE-2020-2302 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier

CVE-2020-2303 4.3 - Medium - November 04, 2020

A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

Session Riding

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2304 6.5 - Medium - November 04, 2020

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2305 6.5 - Medium - November 04, 2020

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier

CVE-2020-2306 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

AuthZ

Jenkins Kubernetes Plugin 1.27.3 and earlier

CVE-2020-2307 4.3 - Medium - November 04, 2020

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

Information Disclosure

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier

CVE-2020-2308 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.

AuthZ

A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier

CVE-2020-2309 4.3 - Medium - November 04, 2020

A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier

CVE-2020-2310 4.3 - Medium - November 04, 2020

Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier

CVE-2020-2311 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.

AuthZ

Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.

CVE-2020-2312 6.5 - Medium - November 04, 2020

Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.

Insufficiently Protected Credentials

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier

CVE-2020-2313 4.3 - Medium - November 04, 2020

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AuthZ

Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it

CVE-2020-2314 5.5 - Medium - November 04, 2020

Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Unprotected Storage of Credentials

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.