Filtered by vendor Jenkins
Subscribe
Total
1666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17383 | 1 Jenkins | 1 Jenkins | 2025-04-20 | 3.5 LOW | 4.7 MEDIUM |
| Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. | |||||
| CVE-2017-1000087 | 1 Jenkins | 1 Github Branch Source | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. | |||||
| CVE-2017-1000090 | 1 Jenkins | 1 Role-based Authorization Strategy | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. | |||||
| CVE-2016-3101 | 1 Jenkins | 1 Extra Columns | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter. | |||||
| CVE-2025-31726 | 1 Jenkins | 1 Stack Hammer | 2025-04-18 | N/A | 5.5 MEDIUM |
| Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2025-31723 | 1 Jenkins | 1 Simple Queue | 2025-04-17 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order. | |||||
| CVE-2025-31724 | 1 Jenkins | 1 Cadence Vmanager | 2025-04-17 | N/A | 4.3 MEDIUM |
| Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2025-31725 | 1 Jenkins | 1 Monitor-remote-job | 2025-04-17 | N/A | 5.5 MEDIUM |
| Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2025-31727 | 1 Jenkins | 1 Asakusasatellite | 2025-04-17 | N/A | 5.5 MEDIUM |
| Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-31728 | 1 Jenkins | 1 Asakusasatellite | 2025-04-17 | N/A | 5.5 MEDIUM |
| Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2014-3664 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors. | |||||
| CVE-2016-0791 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. | |||||
| CVE-2015-5322 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/. | |||||
| CVE-2014-2064 | 1 Jenkins | 1 Jenkins | 2025-04-12 | 5.0 MEDIUM | N/A |
| The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts. | |||||
| CVE-2014-3667 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 4.0 MEDIUM | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code. | |||||
| CVE-2014-3666 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 7.5 HIGH | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel. | |||||
| CVE-2016-0792 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 9.0 HIGH | 8.8 HIGH |
| Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. | |||||
| CVE-2015-1808 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 3.5 LOW | N/A |
| Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. | |||||
| CVE-2014-3661 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 5.0 MEDIUM | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake. | |||||
| CVE-2014-2063 | 1 Jenkins | 1 Jenkins | 2025-04-12 | 7.5 HIGH | N/A |
| Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | |||||