CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43576 611 2021-11-12 2021-11-17
4.3
None Remote Medium Not required Partial None None
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
2 CVE-2021-21701 611 2021-11-12 2021-11-17
4.0
None Remote Low ??? Partial None None
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
3 CVE-2021-21684 79 XSS 2021-10-06 2021-10-15
4.3
None Remote Medium Not required None Partial None
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
4 CVE-2021-21676 862 2021-06-30 2021-07-07
4.0
None Remote Low ??? None Partial None
Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.
5 CVE-2021-21675 352 CSRF 2021-06-30 2021-07-06
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.
6 CVE-2021-21674 862 2021-06-30 2021-07-07
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.
7 CVE-2021-21672 611 2021-06-30 2021-07-06
4.0
None Remote Low ??? Partial None None
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
8 CVE-2021-21670 863 2021-06-30 2021-07-06
4.0
None Remote Low ??? None Partial None
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
9 CVE-2021-21666 79 XSS 2021-06-10 2021-06-15
4.3
None Remote Medium Not required None Partial None
Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
10 CVE-2021-21664 863 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
11 CVE-2021-21663 862 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
12 CVE-2021-21662 862 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
13 CVE-2021-21661 862 2021-06-10 2021-06-15
4.0
None Remote Low ??? Partial None None
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
14 CVE-2021-21654 862 2021-05-11 2021-05-19
4.0
None Remote Low ??? None Partial None
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
15 CVE-2021-21653 862 2021-05-11 2021-05-19
4.0
None Remote Low ??? Partial None None
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
16 CVE-2021-21651 862 2021-05-11 2021-05-19
4.0
None Remote Low ??? Partial None None
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.
17 CVE-2021-21648 79 XSS 2021-05-11 2021-05-14
4.3
None Remote Medium Not required None Partial None
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
18 CVE-2021-21647 862 2021-04-21 2021-04-26
4.0
None Remote Low ??? None Partial None
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
19 CVE-2021-21645 862 2021-04-21 2021-04-26
4.0
None Remote Low ??? Partial None None
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.
20 CVE-2021-21643 863 2021-04-21 2021-04-24
4.0
None Remote Low ??? Partial None None
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
21 CVE-2021-21641 352 CSRF 2021-04-07 2021-04-13
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.
22 CVE-2021-21640 240 2021-04-07 2021-04-13
4.0
None Remote Low ??? None Partial None
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
23 CVE-2021-21639 20 2021-04-07 2021-04-13
4.0
None Remote Low ??? None Partial None
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
24 CVE-2021-21637 862 2021-03-30 2021-04-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
25 CVE-2021-21636 862 2021-03-30 2021-04-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
26 CVE-2021-21634 522 2021-03-30 2021-04-02
4.0
None Remote Low ??? Partial None None
Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
27 CVE-2021-21632 862 2021-03-30 2021-04-02
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
28 CVE-2021-21631 862 2021-03-30 2021-04-02
4.0
None Remote Low ??? Partial None None
Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.
29 CVE-2021-21626 862 2021-03-18 2021-03-24
4.0
None Remote Low ??? None Partial None
Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.
30 CVE-2021-21625 862 2021-03-18 2021-03-24
4.0
None Remote Low ??? Partial None None
Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.
31 CVE-2021-21624 863 2021-03-18 2021-03-24
4.0
None Remote Low ??? Partial None None
An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.
32 CVE-2021-21623 863 2021-03-18 2021-03-23
4.0
None Remote Low ??? Partial None None
An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.
33 CVE-2021-21620 352 CSRF 2021-02-24 2021-02-26
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.
34 CVE-2021-21613 79 XSS 2021-01-13 2021-01-19
4.3
None Remote Medium Not required None Partial None
Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.
35 CVE-2021-21610 79 XSS 2021-01-13 2021-01-15
4.3
None Remote Medium Not required None Partial None
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.
36 CVE-2021-21607 770 2021-01-13 2021-01-15
4.0
None Remote Low ??? None None Partial
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.
37 CVE-2021-21606 20 2021-01-13 2021-01-15
4.0
None Remote Low ??? Partial None None
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.
38 CVE-2021-21602 59 2021-01-13 2021-01-15
4.0
None Remote Low ??? Partial None None
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.
39 CVE-2020-2319 256 2020-11-04 2020-11-10
4.0
None Remote Low ??? Partial None None
Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
40 CVE-2020-2318 256 2020-11-04 2020-11-10
4.0
None Remote Low ??? Partial None None
Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
41 CVE-2020-2315 611 2020-11-04 2020-11-10
4.0
None Remote Low ??? Partial None None
Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
42 CVE-2020-2313 862 2020-11-04 2020-11-06
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
43 CVE-2020-2312 522 2020-11-04 2020-11-10
4.0
None Remote Low ??? Partial None None
Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.
44 CVE-2020-2311 862 2020-11-04 2020-11-06
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.
45 CVE-2020-2310 862 2020-11-04 2020-11-10
4.0
None Remote Low ??? Partial None None
Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
46 CVE-2020-2309 862 2020-11-04 2020-11-06
4.0
None Remote Low ??? Partial None None
A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
47 CVE-2020-2308 862 2020-11-04 2020-11-06
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.
48 CVE-2020-2307 200 +Info 2020-11-04 2020-11-09
4.0
None Remote Low ??? Partial None None
Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.
49 CVE-2020-2306 862 2020-11-04 2020-11-06
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
50 CVE-2020-2305 611 2020-11-04 2020-11-10
4.0
None Remote Low ??? Partial None None
Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Total number of vulnerabilities : 442   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.