Jenkins Email Extension
By the Year
In 2023 there have been 3 vulnerabilities in Jenkins Email Extension with an average score of 6.9 out of ten. Email Extension did not have any published security vulnerabilities last year. That is, 3 more vulnerabilities have already been reported in 2023 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 3 | 6.90 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 4.80 |
| 2019 | 1 | 9.90 |
| 2018 | 1 | 6.50 |
It may take a day or so for new Email Extension vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Email Extension Security Vulnerabilities
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection
CVE-2023-25765
9.9 - Critical
- February 15, 2023
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Protection Mechanism Failure
Jenkins Email Extension Plugin 2.93 and earlier does not escape
CVE-2023-25764
5.4 - Medium
- February 15, 2023
Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.
XSS
Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates
CVE-2023-25763
5.4 - Medium
- February 15, 2023
Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.
XSS
Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.
CVE-2020-2253
4.8 - Medium
- September 16, 2020
Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.
Improper Certificate Validation
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java
CVE-2019-1003032
9.9 - Critical
- March 08, 2019
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
7PK - Security Features
An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java
CVE-2018-1000176
6.5 - Medium
- May 08, 2018
An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Jenkins Email Extension or by Jenkins? Click the Watch button to subscribe.
