Jenkins Jenkins CI / CD Server
Products by Jenkins Sorted by Most Security Vulnerabilities since 2018
@jenkinsci Tweets
Wed Aug 04 16:10:24 +0000 2021
Wed Aug 04 13:56:08 +0000 2021
Wed Aug 04 06:23:02 +0000 2021
Tue Aug 03 10:11:45 +0000 2021
Tue Aug 03 06:46:06 +0000 2021
By the Year
In 2021 there have been 75 vulnerabilities in Jenkins with an average score of 5.9 out of ten. Last year Jenkins had 171 security vulnerabilities published. Right now, Jenkins is on track to have less security vulnerabilities in 2021 than it did last year. Last year, the average CVE base score was greater by 0.14
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2021 | 75 | 5.93 |
| 2020 | 171 | 6.06 |
| 2019 | 340 | 6.91 |
| 2018 | 119 | 6.46 |
It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Security Vulnerabilities
Jenkins 2.299 and earlier
CVE-2021-21671
7.5 - High
- June 30, 2021
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
Session Fixation
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier
CVE-2021-21670
4.3 - Medium
- June 30, 2021
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier
CVE-2021-21675
6.5 - Medium
- June 30, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.
Session Riding
Jenkins CAS Plugin 1.6.0 and earlier improperly determines
CVE-2021-21673
6.1 - Medium
- June 30, 2021
Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Open Redirect
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21672
4.3 - Medium
- June 30, 2021
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint
CVE-2021-21676
4.3 - Medium
- June 30, 2021
Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.
AuthZ
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier
CVE-2021-21674
4.3 - Medium
- June 30, 2021
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.
AuthZ
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21669
9.8 - Critical
- June 18, 2021
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content
CVE-2021-21668
5.4 - Medium
- June 16, 2021
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
XSS
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms
CVE-2021-21667
5.4 - Medium
- June 16, 2021
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
XSS
Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint
CVE-2021-21666
6.1 - Medium
- June 10, 2021
Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
XSS
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints
CVE-2021-21661
4.3 - Medium
- June 10, 2021
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier
CVE-2021-21665
8 - High
- June 10, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
Session Riding
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier
CVE-2021-21664
6.5 - Medium
- June 10, 2021
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
AuthZ
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier
CVE-2021-21663
4.3 - Medium
- June 10, 2021
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
AuthZ
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier
CVE-2021-21662
4.3 - Medium
- June 10, 2021
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
AuthZ
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21659
8.1 - High
- May 25, 2021
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs
CVE-2021-21660
5.4 - Medium
- May 25, 2021
Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.
XSS
Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21658
9.1 - Critical
- May 25, 2021
Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21657
8.8 - High
- May 25, 2021
Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets
CVE-2021-21649
5.4 - Medium
- May 11, 2021
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
XSS
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides
CVE-2021-21648
6.1 - Medium
- May 11, 2021
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier
CVE-2021-21652
7.1 - High
- May 11, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Session Riding
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint
CVE-2021-21651
4.3 - Medium
- May 11, 2021
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.
AuthZ
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models
CVE-2021-21650
4.3 - Medium
- May 11, 2021
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.
AuthZ
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21656
7.1 - High
- May 11, 2021
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints
CVE-2021-21654
4.3 - Medium
- May 11, 2021
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
AuthZ
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint
CVE-2021-21653
4.3 - Medium
- May 11, 2021
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier
CVE-2021-21655
7.1 - High
- May 11, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
Session Riding
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-21642
8.1 - High
- April 21, 2021
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints
CVE-2021-21643
6.5 - Medium
- April 21, 2021
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
AuthZ
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint
CVE-2021-21647
4.3 - Medium
- April 21, 2021
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier
CVE-2021-21644
5.4 - Medium
- April 21, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.
Session Riding
Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin
CVE-2021-21646
8.8 - High
- April 21, 2021
Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
Protection Mechanism Failure
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints
CVE-2021-21645
4.3 - Medium
- April 21, 2021
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier
CVE-2021-21641
4.3 - Medium
- April 07, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.
Session Riding
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node
CVE-2021-21639
4.3 - Medium
- April 07, 2021
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
Improper Input Validation
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check
CVE-2021-21640
4.3 - Medium
- April 07, 2021
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
Improper Handling of Inconsistent Structural Elements
Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions
CVE-2021-21628
5.4 - Medium
- March 30, 2021
Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier
CVE-2021-21629
8.8 - High
- March 30, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.
Session Riding
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column
CVE-2021-21630
5.4 - Medium
- March 30, 2021
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
XSS
Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint
CVE-2021-21631
4.3 - Medium
- March 30, 2021
Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.
AuthZ
A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier
CVE-2021-21632
6.5 - Medium
- March 30, 2021
A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier
CVE-2021-21633
8.8 - High
- March 30, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
Session Riding
Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they
CVE-2021-21634
6.5 - Medium
- March 30, 2021
Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
Insufficiently Protected Credentials
Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript
CVE-2021-21635
5.4 - Medium
- March 30, 2021
Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
XSS
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier
CVE-2021-21636
4.3 - Medium
- March 30, 2021
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
AuthZ
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier
CVE-2021-21637
6.5 - Medium
- March 30, 2021
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier
CVE-2021-21638
8.8 - High
- March 30, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Session Riding
An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier
CVE-2021-21623
6.5 - Medium
- March 18, 2021
An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.
AuthZ
An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier
CVE-2021-21624
4.3 - Medium
- March 18, 2021
An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.
AuthZ
Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints
CVE-2021-21625
4.3 - Medium
- March 18, 2021
Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.
AuthZ
Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation
CVE-2021-21626
4.3 - Medium
- March 18, 2021
Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier
CVE-2021-21627
8.8 - High
- March 18, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.
Session Riding
Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values
CVE-2021-21616
4.6 - Medium
- February 24, 2021
Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
XSS
Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds
CVE-2021-21618
5.4 - Medium
- February 24, 2021
Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
XSS
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information
CVE-2021-21621
5.3 - Medium
- February 24, 2021
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.
Information Disclosure
A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier
CVE-2021-21617
8.8 - High
- February 24, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.
Session Riding
Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either
CVE-2021-21619
5.4 - Medium
- February 24, 2021
Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.
XSS
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier
CVE-2021-21620
4.3 - Medium
- February 24, 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.
Session Riding
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions
CVE-2021-21622
5.4 - Medium
- February 24, 2021
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
XSS
Jenkins 2.275 and LTS 2.263.2
CVE-2021-21615
5.3 - Medium
- January 26, 2021
Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
TOCTTOU
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier
CVE-2021-21602
6.5 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.
insecure temporary file
Jenkins 2.274 and earlier
CVE-2021-21603
5.4 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.
XSS
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor
CVE-2021-21604
8 - High
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
Marshaling, Unmarshaling
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names
CVE-2021-21605
8 - High
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.
Improper Input Validation
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence
CVE-2021-21606
4.3 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.
Improper Input Validation
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs
CVE-2021-21607
6.5 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.
Allocation of Resources Without Limits or Throttling
Jenkins 2.274 and earlier
CVE-2021-21608
5.4 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.
XSS
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths
CVE-2021-21609
5.3 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
AuthZ
Jenkins 2.274 and earlier
CVE-2021-21610
6.1 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.
XSS
Jenkins 2.274 and earlier
CVE-2021-21611
5.4 - Medium
- January 13, 2021
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.
XSS
Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they
CVE-2021-21612
5.5 - Medium
- January 13, 2021
Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
Insufficiently Protected Credentials
Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they
CVE-2021-21614
5.5 - Medium
- January 13, 2021
Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
Insufficiently Protected Credentials
Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses
CVE-2021-21613
6.1 - Medium
- January 13, 2021
Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.
XSS
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVE-2020-2320
9.8 - Critical
- December 03, 2020
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
Download of Code Without Integrity Check
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier
CVE-2020-2321
8.1 - High
- December 03, 2020
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
Session Riding
Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2324
7.5 - High
- December 03, 2020
Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Active Directory Plugin 2.19 and earlier
CVE-2020-2299
9.8 - Critical
- November 04, 2020
Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password.
authentification
Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which
CVE-2020-2300
9.8 - Critical
- November 04, 2020
Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.
authentification
Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of
CVE-2020-2301
9.8 - Critical
- November 04, 2020
Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode.
authentification
A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier
CVE-2020-2302
4.3 - Medium
- November 04, 2020
A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier
CVE-2020-2303
4.3 - Medium
- November 04, 2020
A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.
Session Riding
Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2304
6.5 - Medium
- November 04, 2020
Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2305
6.5 - Medium
- November 04, 2020
Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier
CVE-2020-2306
4.3 - Medium
- November 04, 2020
A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
AuthZ
Jenkins Kubernetes Plugin 1.27.3 and earlier
CVE-2020-2307
4.3 - Medium
- November 04, 2020
Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.
Information Disclosure
A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier
CVE-2020-2308
4.3 - Medium
- November 04, 2020
A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.
AuthZ
A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier
CVE-2020-2309
4.3 - Medium
- November 04, 2020
A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier
CVE-2020-2310
4.3 - Medium
- November 04, 2020
Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier
CVE-2020-2311
4.3 - Medium
- November 04, 2020
A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.
AuthZ
Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.
CVE-2020-2312
6.5 - Medium
- November 04, 2020
Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.
Insufficiently Protected Credentials
A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier
CVE-2020-2313
4.3 - Medium
- November 04, 2020
A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AuthZ
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it
CVE-2020-2314
5.5 - Medium
- November 04, 2020
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Unprotected Storage of Credentials
Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2315
6.5 - Medium
- November 04, 2020
Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
XXE
Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips
CVE-2020-2316
5.4 - Medium
- November 04, 2020
Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
XSS
Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips
CVE-2020-2317
5.4 - Medium
- November 04, 2020
Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.
XSS
Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they
CVE-2020-2318
6.5 - Medium
- November 04, 2020
Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Unprotected Storage of Credentials
Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it
CVE-2020-2319
6.5 - Medium
- November 04, 2020
Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Unprotected Storage of Credentials
Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed
CVE-2020-2286
8.8 - High
- October 08, 2020
Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.
AuthZ