CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-21697 184 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
2 CVE-2021-21695 862 2021-11-04 2021-11-09
6.8
None Remote Medium Not required Partial Partial Partial
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
3 CVE-2021-21689 862 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
4 CVE-2021-21687 862 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
5 CVE-2021-21685 862 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
6 CVE-2021-21679 693 Bypass CSRF 2021-08-31 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
7 CVE-2021-21678 693 Bypass CSRF 2021-08-31 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
8 CVE-2021-21677 502 Exec Code 2021-08-31 2021-09-08
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.
9 CVE-2021-21665 352 CSRF 2021-06-10 2021-06-15
6.0
None Remote Medium ??? Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
10 CVE-2021-21658 611 2021-05-25 2021-06-01
6.4
None Remote Low Not required Partial Partial None
Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
11 CVE-2021-21657 611 2021-05-25 2021-06-01
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
12 CVE-2021-21646 693 Exec Code 2021-04-21 2021-04-26
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
13 CVE-2021-21638 352 CSRF 2021-03-30 2021-04-02
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
14 CVE-2021-21633 352 CSRF 2021-03-30 2021-04-02
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
15 CVE-2021-21629 352 CSRF 2021-03-30 2021-04-02
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.
16 CVE-2021-21627 352 CSRF 2021-03-18 2021-03-24
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.
17 CVE-2021-21617 352 CSRF 2021-02-24 2021-02-26
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.
18 CVE-2021-21605 20 2021-01-13 2021-01-19
6.0
None Remote Medium ??? Partial Partial Partial
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.
19 CVE-2021-21604 502 2021-01-13 2021-01-15
6.0
None Remote Medium ??? Partial Partial Partial
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
20 CVE-2020-2286 863 2020-10-08 2020-10-23
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.
21 CVE-2020-2280 352 Exec Code CSRF 2020-09-23 2020-09-28
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.
22 CVE-2020-2279 Exec Code Bypass 2020-09-23 2020-09-28
6.5
None Remote Low ??? Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.
23 CVE-2020-2268 352 CSRF 2020-09-16 2020-09-21
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.
24 CVE-2020-2261 78 Exec Code 2020-09-16 2020-09-18
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller
25 CVE-2020-2241 352 CSRF 2020-09-01 2020-09-04
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials.
26 CVE-2020-2240 352 CSRF 2020-09-01 2020-09-04
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
27 CVE-2020-2228 863 2020-07-15 2021-10-19
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.
28 CVE-2020-2211 502 Exec Code 2020-07-02 2020-07-06
6.5
None Remote Low ??? Partial Partial Partial
Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
29 CVE-2020-2200 78 2020-06-03 2020-06-04
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.
30 CVE-2020-2196 352 CSRF 2020-06-03 2020-06-03
6.0
None Remote Medium ??? Partial Partial Partial
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
31 CVE-2020-2189 502 Exec Code 2020-05-06 2020-05-07
6.5
None Remote Low ??? Partial Partial Partial
Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
32 CVE-2020-2187 295 2020-05-06 2020-05-11
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.
33 CVE-2020-2185 2020-05-06 2020-05-11
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.
34 CVE-2020-2180 502 Exec Code 2020-04-16 2020-04-28
6.5
None Remote Low ??? Partial Partial Partial
Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
35 CVE-2020-2179 502 Exec Code 2020-04-16 2020-04-27
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
36 CVE-2020-2171 611 2020-03-25 2020-03-30
6.5
None Remote Low ??? Partial Partial Partial
Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
37 CVE-2020-2168 20 Exec Code 2020-03-25 2020-03-30
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
38 CVE-2020-2167 20 Exec Code 2020-03-25 2020-03-30
6.5
None Remote Low ??? Partial Partial Partial
Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
39 CVE-2020-2166 20 Exec Code 2020-03-25 2020-03-30
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
40 CVE-2020-2160 352 Bypass CSRF 2020-03-25 2020-03-30
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
41 CVE-2020-2158 502 Exec Code 2020-03-09 2020-03-09
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
42 CVE-2020-2135 863 2020-03-09 2020-03-10
6.5
None Remote Low ??? Partial Partial Partial
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.
43 CVE-2020-2134 863 2020-03-09 2020-03-10
6.5
None Remote Low ??? Partial Partial Partial
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.
44 CVE-2020-2123 502 Exec Code 2020-02-12 2020-02-14
6.5
None Remote Low ??? Partial Partial Partial
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
45 CVE-2020-2121 Exec Code 2020-02-12 2020-02-14
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
46 CVE-2020-2120 611 2020-02-12 2020-02-14
6.5
None Remote Low ??? Partial Partial Partial
Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
47 CVE-2020-2116 352 CSRF 2020-02-12 2020-02-14
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
48 CVE-2020-2115 611 2020-02-12 2020-02-14
6.5
None Remote Low ??? Partial Partial Partial
Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
49 CVE-2020-2110 20 2020-02-12 2020-07-13
6.5
None Remote Low ??? Partial Partial Partial
Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.
50 CVE-2020-2109 20 2020-02-12 2020-07-13
6.5
None Remote Low ??? Partial Partial Partial
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
Total number of vulnerabilities : 164   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.