CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2020-2174 79 XSS 2020-04-07 2020-04-07
4.3
None Remote Medium Not required None Partial None
Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.
102 CVE-2020-2172 776 2020-04-07 2020-04-07
4.0
None Remote Low ??? Partial None None
Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
103 CVE-2020-2169 79 XSS 2020-03-25 2020-03-27
4.3
None Remote Medium Not required None Partial None
A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.
104 CVE-2020-2157 319 2020-03-09 2020-03-09
4.0
None Remote Low ??? Partial None None
Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
105 CVE-2020-2156 319 2020-03-09 2020-03-09
4.0
None Remote Low ??? Partial None None
Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
106 CVE-2020-2153 319 2020-03-09 2020-03-11
4.0
None Remote Low ??? Partial None None
Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
107 CVE-2020-2152 79 XSS 2020-03-09 2020-03-09
4.3
None Remote Medium Not required None Partial None
Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
108 CVE-2020-2148 863 2020-03-09 2020-03-09
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
109 CVE-2020-2147 352 CSRF 2020-03-09 2020-03-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
110 CVE-2020-2142 862 2020-03-09 2020-03-09
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.
111 CVE-2020-2141 352 CSRF 2020-03-09 2020-03-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.
112 CVE-2020-2140 79 XSS 2020-03-09 2020-03-09
4.3
None Remote Medium Not required None Partial None
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
113 CVE-2020-2133 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
114 CVE-2020-2132 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
115 CVE-2020-2131 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
116 CVE-2020-2130 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
117 CVE-2020-2129 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
118 CVE-2020-2128 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
119 CVE-2020-2127 522 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
120 CVE-2020-2126 522 2020-02-12 2020-02-13
4.0
None Remote Low ??? Partial None None
Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.
121 CVE-2020-2125 522 2020-02-12 2020-02-13
4.0
None Remote Low ??? Partial None None
Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
122 CVE-2020-2124 522 2020-02-12 2020-02-13
4.0
None Remote Low ??? Partial None None
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
123 CVE-2020-2118 276 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
124 CVE-2020-2117 276 2020-02-12 2020-02-14
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
125 CVE-2020-2107 522 2020-01-29 2020-01-30
4.0
None Remote Low ??? Partial None None
Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
126 CVE-2020-2105 1021 2020-01-29 2020-03-17
4.3
None Remote Medium Not required None Partial None
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
127 CVE-2020-2104 863 2020-01-29 2020-03-17
4.0
None Remote Low ??? Partial None None
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.
128 CVE-2020-2103 200 +Info 2020-01-29 2020-03-17
4.0
None Remote Low ??? None Partial None
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
129 CVE-2020-2096 79 XSS 2020-01-15 2020-01-21
4.3
None Remote Medium Not required None Partial None
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
130 CVE-2020-2095 922 2020-01-15 2020-01-22
4.0
None Remote Low ??? Partial None None
Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
131 CVE-2020-2094 276 2020-01-15 2020-01-22
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.
132 CVE-2019-1010241 522 2019-07-19 2020-09-30
4.0
None Remote Low ??? Partial None None
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.
133 CVE-2019-1003099 862 2019-04-04 2020-07-15
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
134 CVE-2019-1003098 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
135 CVE-2019-1003097 522 2019-04-04 2020-07-15
4.0
None Remote Low ??? Partial None None
Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
136 CVE-2019-1003096 522 2019-04-04 2020-07-15
4.0
None Remote Low ??? Partial None None
Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
137 CVE-2019-1003095 311 2019-04-04 2020-09-01
4.0
None Remote Low ??? Partial None None
Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
138 CVE-2019-1003094 311 2019-04-04 2020-09-01
4.0
None Remote Low ??? Partial None None
Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
139 CVE-2019-1003093 862 2019-04-04 2020-07-15
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
140 CVE-2019-1003092 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
141 CVE-2019-1003091 862 2019-04-04 2020-07-15
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
142 CVE-2019-1003090 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
143 CVE-2019-1003089 311 2019-04-04 2020-09-01
4.0
None Remote Low ??? Partial None None
Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
144 CVE-2019-1003088 311 2019-04-04 2020-09-01
4.0
None Remote Low ??? Partial None None
Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
145 CVE-2019-1003087 862 2019-04-04 2020-07-15
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
146 CVE-2019-1003086 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
147 CVE-2019-1003085 862 2019-04-04 2020-07-15
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
148 CVE-2019-1003084 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
149 CVE-2019-1003083 862 2019-04-04 2020-07-15
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
150 CVE-2019-1003082 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
Total number of vulnerabilities : 442   Page : 1 2 3 (This Page)4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.