| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-28165 |
400 |
|
|
2021-04-01 |
2022-05-12 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. |
|
2 |
CVE-2019-1003050 |
79 |
|
XSS |
2019-04-10 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. |
|
3 |
CVE-2019-1003049 |
613 |
|
|
2019-04-10 |
2022-04-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. |
|
4 |
CVE-2019-10384 |
352 |
|
Bypass CSRF |
2019-08-28 |
2022-04-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. |
|
5 |
CVE-2019-10383 |
79 |
|
XSS |
2019-08-28 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages. |
|
6 |
CVE-2018-1999007 |
79 |
|
XSS |
2018-07-23 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. |
|
7 |
CVE-2018-1999005 |
79 |
|
XSS |
2018-07-23 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
8 |
CVE-2018-1999004 |
863 |
|
|
2018-07-23 |
2022-04-20 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. |
|
9 |
CVE-2018-1999003 |
863 |
|
|
2018-07-23 |
2022-04-20 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. |
|
10 |
CVE-2018-1999002 |
20 |
|
|
2018-07-23 |
2022-04-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. |
|
11 |
CVE-2018-1999001 |
20 |
|
|
2018-07-23 |
2022-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. |
|
12 |
CVE-2018-1000195 |
352 |
|
|
2018-06-05 |
2022-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. |
|
13 |
CVE-2018-1000194 |
22 |
|
Dir. Trav. Bypass |
2018-06-05 |
2022-04-20 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. |
|
14 |
CVE-2018-1000193 |
74 |
|
|
2018-06-05 |
2022-04-20 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. |
|
15 |
CVE-2018-1000192 |
200 |
|
+Info |
2018-06-05 |
2022-04-20 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. |
|
16 |
CVE-2018-1000068 |
200 |
|
+Info |
2018-02-16 |
2022-04-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. |
|
17 |
CVE-2018-1000067 |
918 |
|
|
2018-02-16 |
2022-04-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. |
|
18 |
CVE-2018-6356 |
22 |
|
Dir. Trav. |
2018-02-20 |
2022-04-20 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. |
|
19 |
CVE-2017-1000503 |
362 |
|
Exec Code |
2018-01-24 |
2018-02-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. |
|
20 |
CVE-2017-1000362 |
200 |
|
+Info |
2017-07-17 |
2017-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present. |
|
21 |
CVE-2017-1000356 |
352 |
|
|
2018-01-29 |
2018-02-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. |
|
22 |
CVE-2017-1000355 |
502 |
|
|
2018-01-29 |
2018-02-15 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. |
|
23 |
CVE-2017-1000354 |
287 |
|
|
2018-01-29 |
2018-02-15 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. |
|
24 |
CVE-2017-1000353 |
502 |
|
Exec Code Bypass |
2018-01-29 |
2022-04-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. |
|
25 |
CVE-2017-17383 |
79 |
|
XSS |
2017-12-06 |
2017-12-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. |
|
26 |
CVE-2017-2613 |
352 |
|
CSRF |
2018-05-15 |
2019-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). |
|
27 |
CVE-2017-2612 |
732 |
|
|
2018-05-15 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. |
|
28 |
CVE-2017-2611 |
863 |
|
|
2018-05-08 |
2020-09-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents. |
|
29 |
CVE-2017-2610 |
79 |
|
XSS |
2018-05-15 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). |
|
30 |
CVE-2017-2609 |
200 |
|
+Info |
2018-05-22 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. |
|
31 |
CVE-2017-2608 |
502 |
|
Exec Code |
2018-05-15 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). |
|
32 |
CVE-2017-2607 |
79 |
|
XSS |
2018-05-21 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. |
|
33 |
CVE-2017-2606 |
200 |
|
+Info |
2018-05-08 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. |
|
34 |
CVE-2017-2604 |
287 |
|
|
2018-05-15 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). |
|
35 |
CVE-2017-2603 |
200 |
|
+Info |
2018-05-15 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). |
|
36 |
CVE-2017-2602 |
|
|
|
2018-05-15 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). |
|
37 |
CVE-2017-2601 |
79 |
|
XSS |
2018-05-10 |
2022-05-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. |
|
38 |
CVE-2017-2600 |
200 |
|
+Info |
2018-05-15 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). |
|
39 |
CVE-2017-2599 |
863 |
|
|
2018-04-11 |
2020-12-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). |
|
40 |
CVE-2017-2598 |
326 |
|
|
2018-05-23 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). |
|
41 |
CVE-2016-3727 |
200 |
|
+Info |
2016-05-17 |
2018-01-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. |
|
42 |
CVE-2016-3726 |
|
|
|
2016-05-17 |
2018-01-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs. |
|
43 |
CVE-2016-3725 |
264 |
|
DoS |
2016-05-17 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). |
|
44 |
CVE-2016-3724 |
200 |
|
+Info |
2016-05-17 |
2018-01-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. |
|
45 |
CVE-2016-3723 |
200 |
|
+Info |
2016-05-17 |
2018-01-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. |
|
46 |
CVE-2016-3722 |
264 |
|
DoS |
2016-05-17 |
2018-01-05 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name." |
|
47 |
CVE-2016-3721 |
17 |
|
|
2016-05-17 |
2018-01-05 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. |
|
48 |
CVE-2016-0792 |
20 |
|
Exec Code |
2016-04-07 |
2018-01-05 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. |
|
49 |
CVE-2016-0791 |
200 |
|
Bypass +Info CSRF |
2016-04-07 |
2018-01-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. |
|
50 |
CVE-2016-0790 |
200 |
|
+Info |
2016-04-07 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. |
