Jenkins Jenkins Jenkins CI / CD Server

stack.watch can notify you when security vulnerabilities are reported in any Jenkins product. You can add multiple products that you use with Jenkins to create your own personal software stack watcher.

Products by Jenkins Sorted by Most Security Vulnerabilities since 2018

Jenkins58 vulnerabilities
Continuous Integration Engine

Jenkins Script Security18 vulnerabilities

Jenkins Pipeline8 vulnerabilities

Jenkins Electricflow6 vulnerabilities

Jenkins Amazon Ec26 vulnerabilities

Jenkins Websphere Deployer5 vulnerabilities

Jenkins Project Inheritance5 vulnerabilities

Jenkins Credentials Binding4 vulnerabilities

Jenkins Kubernetes Ci4 vulnerabilities

Jenkins Rundeck4 vulnerabilities

Jenkins Gerrit Trigger4 vulnerabilities

Jenkins Rapiddeploy4 vulnerabilities

Jenkins Git4 vulnerabilities

Jenkins Audit To Database3 vulnerabilities

Jenkins Azure Vm Agents3 vulnerabilities

Jenkins Team Concert3 vulnerabilities

Jenkins Icescrum3 vulnerabilities

Jenkins Ansible Tower3 vulnerabilities

Jenkins Black Duck Hub3 vulnerabilities

Jenkins Soasta Cloudtest3 vulnerabilities

Jenkins Job Import3 vulnerabilities

Jenkins Openshift Deployer3 vulnerabilities

Jenkins Vsphere3 vulnerabilities

Jenkins Kmap3 vulnerabilities

Jenkins Maven3 vulnerabilities

Jenkins Docker3 vulnerabilities

Jenkins Github3 vulnerabilities

Jenkins Ftp Publisher3 vulnerabilities

Jenkins Mac3 vulnerabilities

Jenkins Libvirt Slaves3 vulnerabilities

Jenkins Spira Importer2 vulnerabilities

Jenkins Warnings2 vulnerabilities

Jenkins Kubernetes2 vulnerabilities

Jenkins Skytap Cloud Ci2 vulnerabilities

Jenkins Config File Provider2 vulnerabilities

Jenkins Gitlab Hook2 vulnerabilities

Jenkins Aws Codedeploy2 vulnerabilities

Jenkins Chef Sinatra2 vulnerabilities

Jenkins Git Changelog2 vulnerabilities

Jenkins Openid2 vulnerabilities

Jenkins Xebialabs Xl Deploy2 vulnerabilities

Jenkins Email Extension2 vulnerabilities

Jenkins Azure Ad2 vulnerabilities

Jenkins Code Coverage Api2 vulnerabilities

Jenkins Jira2 vulnerabilities

Jenkins Gearman2 vulnerabilities

Jenkins Octopusdeploy2 vulnerabilities

Jenkins Slack Notification2 vulnerabilities

Jenkins Token Macro2 vulnerabilities

Jenkins Jclouds2 vulnerabilities

Jenkins Subversion2 vulnerabilities

Jenkins Xl Testview2 vulnerabilities

Jenkins Fortify On Demand2 vulnerabilities

Jenkins Sounds2 vulnerabilities

Jenkins Github Oauth2 vulnerabilities

Jenkins M2release2 vulnerabilities

Jenkins P42 vulnerabilities

Jenkins Inedo Buildmaster2 vulnerabilities

Jenkins Groovy2 vulnerabilities

Jenkins Kubernetes Pipeline2 vulnerabilities

Jenkins Gitlab Oauth2 vulnerabilities

Jenkins Git Parameter2 vulnerabilities

Jenkins Repository Connector2 vulnerabilities

Jenkins Html Publisher2 vulnerabilities

Jenkins Blue Ocean2 vulnerabilities

Jenkins S3 Publisher2 vulnerabilities

Jenkins Testlink2 vulnerabilities

Jenkins Deploy Weblogic2 vulnerabilities

Jenkins Inedo Proget2 vulnerabilities

Jenkins Fitnesse2 vulnerabilities

Jenkins Junit2 vulnerabilities

Jenkins Tracetronic Ecu Test2 vulnerabilities

Jenkins Support Core2 vulnerabilities

Jenkins Nomad2 vulnerabilities

Jenkins Google Login2 vulnerabilities

Jenkins Koji2 vulnerabilities

Jenkins Gitlab2 vulnerabilities

Jenkins Deployhub2 vulnerabilities

@jenkinsci Tweets

Online Meetup on July 14: "Jenkins Operator on OpenShift". @BobadeVibhav will present how to use #JenkinsOperator o… https://t.co/FtzvEcYGsn
Tue Jul 07 15:10:34 +0000 2020

RT @RedHatStorage: Quick—Learn to speed #CICD pipelines! If you're using pipelines & #Jenkins w/@kubernetesio & GitHub to automate the app…
Mon Jul 06 16:41:01 +0000 2020

We have updated the Jenkins Code of Conduct to Contributor Covenant 2.0. We are committed to foster an open, divers… https://t.co/CED4Ce29Qn
Mon Jul 06 11:55:43 +0000 2020

RT @Lothar_May: I've written a tutorial for #UE4 cross platform build automation with #Jenkins: https://t.co/2YN2qnPQQK This is basically a…
Sat Jul 04 20:51:07 +0000 2020

RT @grEvenX: Another awesome update from the great people working on the @jenkinsci system. This will make the chore of upgrading plugins m…
Fri Jul 03 22:28:40 +0000 2020

By the Year

In 2020 there have been 104 vulnerabilities in Jenkins with an average score of 6.3 out of ten. Last year Jenkins had 340 security vulnerabilities published. Right now, Jenkins is on track to have less security vulerabilities in 2020 than it did last year. Last year, the average CVE base score was greater by 0.76

Year Vulnerabilities Average Score
2020 104 6.27
2019 340 7.02
2018 113 6.52

It may take a day or so for new Jenkins vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Jenkins Security Vulnerabilities

A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods

CVE-2020-2202 4.3 - Medium - July 02, 2020

A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Incorrect Permission Assignment for Critical Resource

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2211 8.8 - High - July 02, 2020

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier

CVE-2020-2216 4.3 - Medium - July 02, 2020

A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password.

AuthZ

A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier

CVE-2020-2215 4.3 - Medium - July 02, 2020

A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.

352

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.

CVE-2020-2197 4.3 - Medium - June 03, 2020

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.

Incorrect Default Permissions

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.

CVE-2020-2198 6.5 - Medium - June 03, 2020

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.

Insufficiently Protected Credentials

Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page

CVE-2020-2190 5.4 - Medium - June 03, 2020

Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

XSS

Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents

CVE-2020-2185 5.6 - Medium - May 06, 2020

Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier

CVE-2020-2186 4.3 - Medium - May 06, 2020

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.

352

Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation

CVE-2020-2187 5.6 - Medium - May 06, 2020

Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.

Improper Certificate Validation

A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods

CVE-2020-2188 4.3 - Medium - May 06, 2020

A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

AuthZ

Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks

CVE-2020-2183 6.5 - Medium - May 06, 2020

Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.

Incorrect Default Permissions

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e

CVE-2020-2181 6.5 - Medium - May 06, 2020

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.

Insufficiently Protected Credentials

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e

CVE-2020-2182 4.3 - Medium - May 06, 2020

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.

Insufficiently Protected Credentials

A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier

CVE-2020-2184 4.3 - Medium - May 06, 2020

A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.

352

Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2189 8.8 - High - May 06, 2020

Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2180 8.8 - High - April 16, 2020

Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they

CVE-2020-2177 4.3 - Medium - April 16, 2020

Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Cleartext Storage of Sensitive Information

Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2178 7.1 - High - April 16, 2020

Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2179 8.8 - High - April 16, 2020

Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output

CVE-2020-2174 6.1 - Medium - April 07, 2020

Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.

XSS

Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2172 6.5 - Medium - April 07, 2020

Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XEE

Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI

CVE-2020-2175 5.4 - Medium - April 07, 2020

Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.

XSS

Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers

CVE-2020-2173 5.4 - Medium - April 07, 2020

Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.

XSS

Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received

CVE-2020-2176 5.4 - Medium - April 07, 2020

Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.

XSS

Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2168 8.8 - High - March 25, 2020

Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Improper Input Validation

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs

CVE-2020-2160 8.8 - High - March 25, 2020

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

352

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels

CVE-2020-2161 5.4 - Medium - March 25, 2020

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

XSS

Jenkins 2.227 and earlier

CVE-2020-2162 5.4 - Medium - March 25, 2020

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.

XSS

Jenkins 2.227 and earlier

CVE-2020-2163 5.4 - Medium - March 25, 2020

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.

XSS

Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2167 8.8 - High - March 25, 2020

Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Improper Input Validation

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2166 8.8 - High - March 25, 2020

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Improper Input Validation

A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message

CVE-2020-2169 6.1 - Medium - March 25, 2020

A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.

XSS

Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained

CVE-2020-2170 5.4 - Medium - March 25, 2020

Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

XSS

Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2171 8.8 - High - March 25, 2020

Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation

CVE-2020-2140 6.1 - Medium - March 09, 2020

Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.

XSS

Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms

CVE-2020-2153 4.3 - Medium - March 09, 2020

Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2138 7.1 - High - March 09, 2020

Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier

CVE-2020-2139 6.5 - Medium - March 09, 2020

An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system.

Directory traversal

Jenkins CryptoMove Plugin 0.1.33 and earlier

CVE-2020-2159 8.8 - High - March 09, 2020

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

Shell injection

Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms

CVE-2020-2156 4.3 - Medium - March 09, 2020

Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation

CVE-2020-2136 5.4 - Medium - March 09, 2020

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

XSS

Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2158 8.8 - High - March 09, 2020

Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form

CVE-2020-2143 5.3 - Medium - March 09, 2020

Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin

CVE-2020-2146 7.4 - High - March 09, 2020

Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.

Improper Verification of Cryptographic Signature

A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier

CVE-2020-2147 4.3 - Medium - March 09, 2020

A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

352

A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier

CVE-2020-2148 4.3 - Medium - March 09, 2020

A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

AuthZ

Jenkins OpenShift Deployer Plugin 1.2.0 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form

CVE-2020-2155 5.3 - Medium - March 09, 2020

Jenkins OpenShift Deployer Plugin 1.2.0 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier

CVE-2020-2141 4.3 - Medium - March 09, 2020

A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.

352

A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier

CVE-2020-2142 4.3 - Medium - March 09, 2020

A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.

AuthZ

Jenkins Quality Gates Plugin 2.5 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form

CVE-2020-2151 5.3 - Medium - March 09, 2020

Jenkins Quality Gates Plugin 2.5 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Repository Connector Plugin 1.2.6 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form

CVE-2020-2149 5.3 - Medium - March 09, 2020

Jenkins Repository Connector Plugin 1.2.6 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2144 7.1 - High - March 09, 2020

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.

CVE-2020-2134 8.8 - High - March 09, 2020

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.

AuthZ

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects

CVE-2020-2135 8.8 - High - March 09, 2020

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

AuthZ

Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms

CVE-2020-2157 4.3 - Medium - March 09, 2020

Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Sonar Quality Gates Plugin 1.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form

CVE-2020-2150 5.3 - Medium - March 09, 2020

Jenkins Sonar Quality Gates Plugin 1.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Cleartext Transmission of Sensitive Information

Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation

CVE-2020-2152 6.1 - Medium - March 09, 2020

Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.

XSS

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output

CVE-2020-2137 4.8 - Medium - March 09, 2020

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

XSS

Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system.

CVE-2020-2145 5.5 - Medium - March 09, 2020

Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system.

Insufficiently Protected Credentials

Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.

CVE-2020-2154 5.5 - Medium - March 09, 2020

Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.

Cleartext Storage of Sensitive Information

Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it

CVE-2020-2133 6.5 - Medium - February 12, 2020

Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Insufficiently Protected Credentials

Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form

CVE-2020-2119 5.3 - Medium - February 12, 2020

Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Insufficiently Protected Credentials

Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they

CVE-2020-2127 4.3 - Medium - February 12, 2020

Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Insufficiently Protected Credentials

Jenkins Brakeman Plugin 0.12 and earlier did not escape values received

CVE-2020-2122 5.4 - Medium - February 12, 2020

Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.

XSS

Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it

CVE-2020-2125 4.3 - Medium - February 12, 2020

Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

Insufficiently Protected Credentials

Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it

CVE-2020-2126 4.3 - Medium - February 12, 2020

Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.

Insufficiently Protected Credentials

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it

CVE-2020-2124 4.3 - Medium - February 12, 2020

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Insufficiently Protected Credentials

Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it

CVE-2020-2129 6.5 - Medium - February 12, 2020

Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

Insufficiently Protected Credentials

Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it

CVE-2020-2128 4.3 - Medium - February 12, 2020

Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Insufficiently Protected Credentials

Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2120 8.8 - High - February 12, 2020

Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI

CVE-2020-2112 5.4 - Medium - February 12, 2020

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

XSS

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI

CVE-2020-2113 5.4 - Medium - February 12, 2020

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

XSS

Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2121 8.8 - High - February 12, 2020

Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it

CVE-2020-2130 6.5 - Medium - February 12, 2020

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

Insufficiently Protected Credentials

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they

CVE-2020-2131 6.5 - Medium - February 12, 2020

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Insufficiently Protected Credentials

Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2115 8.8 - High - February 12, 2020

Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it

CVE-2020-2132 6.5 - Medium - February 12, 2020

Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Insufficiently Protected Credentials

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier

CVE-2020-2109 9.9 - Critical - February 12, 2020

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

Improper Input Validation

A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier

CVE-2020-2116 8.8 - High - February 12, 2020

A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

352

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier

CVE-2020-2117 4.3 - Medium - February 12, 2020

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Incorrect Default Permissions

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods

CVE-2020-2118 4.3 - Medium - February 12, 2020

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Incorrect Default Permissions

Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types

CVE-2020-2123 8.8 - High - February 12, 2020

Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Marshaling, Unmarshaling

Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form

CVE-2020-2114 7.5 - High - February 12, 2020

Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Insufficiently Protected Credentials

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

CVE-2020-2110 9.9 - Critical - February 12, 2020

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Improper Input Validation

Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation

CVE-2020-2111 5.4 - Medium - February 12, 2020

Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.

XSS

Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view

CVE-2020-2106 5.4 - Medium - January 29, 2020

Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.

XSS

Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they

CVE-2020-2107 4.3 - Medium - January 29, 2020

Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Insufficiently Protected Credentials

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3

CVE-2020-2099 8.6 - High - January 29, 2020

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

Use of Insufficiently Random Values

Jenkins 2.218 and earlier

CVE-2020-2100 5.8 - Medium - January 29, 2020

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially

CVE-2020-2101 5.3 - Medium - January 29, 2020

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.

Information Exposure Through Discrepancy

Jenkins 2.218 and earlier

CVE-2020-2102 5.3 - Medium - January 29, 2020

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.

Information Exposure Through Discrepancy

Jenkins 2.218 and earlier

CVE-2020-2103 5.4 - Medium - January 29, 2020

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.

Information Leak

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier

CVE-2020-2104 4.3 - Medium - January 29, 2020

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.

AuthZ

REST API endpoints in Jenkins 2.218 and earlier

CVE-2020-2105 5.4 - Medium - January 29, 2020

REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.

1021

Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks

CVE-2020-2108 7.6 - High - January 29, 2020

Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.

XXE

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier

CVE-2020-2090 8.8 - High - January 15, 2020

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

352

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier

CVE-2020-2091 8.1 - High - January 15, 2020

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

Incorrect Default Permissions

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint

CVE-2020-2096 6.1 - Medium - January 15, 2020

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

XSS

A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier

CVE-2020-2093 8.8 - High - January 15, 2020

A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.

352

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8