CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 3 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-23113 22 Dir. Trav. 2022-01-12 2022-01-19
4.0
None Remote Low ??? Partial None None
Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.
2 CVE-2022-23112 862 2022-01-12 2022-01-18
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.
3 CVE-2022-23111 352 CSRF 2022-01-12 2022-01-18
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
4 CVE-2022-23110 79 XSS 2022-01-12 2022-01-18
3.5
None Remote Medium ??? None Partial None
Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
5 CVE-2022-23109 522 2022-01-12 2022-01-18
4.0
None Remote Low ??? Partial None None
Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.
6 CVE-2022-23108 79 XSS 2022-01-12 2022-01-18
3.5
None Remote Medium ??? None Partial None
Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
7 CVE-2022-20620 668 2022-01-12 2022-01-18
4.0
None Remote Low ??? Partial None None
Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.
8 CVE-2022-20618 732 2022-01-12 2022-01-20
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.
9 CVE-2022-20616 732 2022-01-12 2022-01-18
4.0
None Remote Low ??? Partial None None
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.
10 CVE-2022-20615 79 XSS 2022-01-12 2022-01-18
3.5
None Remote Medium ??? None Partial None
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
11 CVE-2022-20614 732 2022-01-12 2022-01-18
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.
12 CVE-2022-20613 352 CSRF 2022-01-12 2022-01-18
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.
13 CVE-2021-43576 611 2021-11-12 2021-11-17
4.3
None Remote Medium Not required Partial None None
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
14 CVE-2021-21701 611 2021-11-12 2021-11-17
4.0
None Remote Low ??? Partial None None
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
15 CVE-2021-21700 79 XSS 2021-11-12 2021-11-17
3.5
None Remote Medium ??? None Partial None
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.
16 CVE-2021-21699 79 XSS 2021-11-12 2021-11-17
3.5
None Remote Medium ??? None Partial None
Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
17 CVE-2021-21684 79 XSS 2021-10-06 2021-10-15
4.3
None Remote Medium Not required None Partial None
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
18 CVE-2021-21676 862 2021-06-30 2021-07-07
4.0
None Remote Low ??? None Partial None
Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.
19 CVE-2021-21675 352 CSRF 2021-06-30 2021-07-06
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.
20 CVE-2021-21674 862 2021-06-30 2021-07-07
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.
21 CVE-2021-21672 611 2021-06-30 2021-07-06
4.0
None Remote Low ??? Partial None None
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
22 CVE-2021-21670 863 2021-06-30 2021-07-06
4.0
None Remote Low ??? None Partial None
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
23 CVE-2021-21668 79 XSS 2021-06-16 2021-06-22
3.5
None Remote Medium ??? None Partial None
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
24 CVE-2021-21667 79 XSS 2021-06-16 2021-06-22
3.5
None Remote Medium ??? None Partial None
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
25 CVE-2021-21666 79 XSS 2021-06-10 2021-06-15
4.3
None Remote Medium Not required None Partial None
Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
26 CVE-2021-21664 863 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
27 CVE-2021-21663 862 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
28 CVE-2021-21662 862 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
29 CVE-2021-21661 862 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
30 CVE-2021-21660 79 XSS 2021-05-25 2021-06-01
3.5
None Remote Medium ??? None Partial None
Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.
31 CVE-2021-21654 862 2021-05-11 2021-05-19
4.0
None Remote Low ??? None Partial None
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
32 CVE-2021-21653 862 2021-05-11 2021-05-19
4.0
None Remote Low ??? Partial None None
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
33 CVE-2021-21651 862 2021-05-11 2021-05-19
4.0
None Remote Low ??? Partial None None
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.
34 CVE-2021-21650 862 +Info 2021-05-11 2021-05-19
3.5
None Remote Medium ??? Partial None None
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.
35 CVE-2021-21649 79 XSS 2021-05-11 2021-05-14
3.5
None Remote Medium ??? None Partial None
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
36 CVE-2021-21648 79 XSS 2021-05-11 2021-05-14
4.3
None Remote Medium Not required None Partial None
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
37 CVE-2021-21647 862 2021-04-21 2021-04-26
4.0
None Remote Low ??? None Partial None
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
38 CVE-2021-21645 862 2021-04-21 2021-04-26
4.0
None Remote Low ??? Partial None None
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.
39 CVE-2021-21643 863 2021-04-21 2021-04-24
4.0
None Remote Low ??? Partial None None
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
40 CVE-2021-21641 352 CSRF 2021-04-07 2021-04-13
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.
41 CVE-2021-21640 240 2021-04-07 2021-04-13
4.0
None Remote Low ??? None Partial None
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
42 CVE-2021-21639 20 2021-04-07 2021-04-13
4.0
None Remote Low ??? None Partial None
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
43 CVE-2021-21637 862 2021-03-30 2021-04-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
44 CVE-2021-21636 862 2021-03-30 2021-04-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
45 CVE-2021-21635 79 XSS 2021-03-30 2021-04-05
3.5
None Remote Medium ??? None Partial None
Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
46 CVE-2021-21634 522 2021-03-30 2021-04-02
4.0
None Remote Low ??? Partial None None
Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
47 CVE-2021-21632 862 2021-03-30 2021-04-02
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
48 CVE-2021-21631 862 2021-03-30 2021-04-02
4.0
None Remote Low ??? Partial None None
Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.
49 CVE-2021-21630 79 XSS 2021-03-30 2021-04-02
3.5
None Remote Medium ??? None Partial None
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
50 CVE-2021-21628 79 XSS 2021-03-30 2021-04-02
3.5
None Remote Medium ??? None Partial None
Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Total number of vulnerabilities : 581   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.