| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-27195 |
|
|
|
2022-03-15 |
2023-01-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system. |
|
2 |
CVE-2022-23114 |
522 |
|
|
2022-01-12 |
2022-01-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
3 |
CVE-2022-23105 |
319 |
|
|
2022-01-12 |
2022-01-18 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations. |
|
4 |
CVE-2022-20621 |
522 |
|
|
2022-01-12 |
2022-01-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
5 |
CVE-2022-20612 |
352 |
|
CSRF |
2022-01-12 |
2022-07-29 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. |
|
6 |
CVE-2021-21681 |
522 |
|
|
2021-08-31 |
2022-04-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. |
|
7 |
CVE-2021-21614 |
522 |
|
|
2021-01-13 |
2021-01-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. |
|
8 |
CVE-2021-21612 |
522 |
|
|
2021-01-13 |
2021-01-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. |
|
9 |
CVE-2020-2314 |
522 |
|
|
2020-11-04 |
2022-04-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
10 |
CVE-2020-2297 |
522 |
|
|
2020-10-08 |
2022-04-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
11 |
CVE-2020-2291 |
522 |
|
|
2020-10-08 |
2022-04-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
12 |
CVE-2020-2274 |
312 |
|
|
2020-09-16 |
2020-09-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
13 |
CVE-2020-2249 |
311 |
|
|
2020-09-01 |
2020-09-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. |
|
14 |
CVE-2020-2154 |
312 |
|
|
2020-03-09 |
2020-03-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system. |
|
15 |
CVE-2020-2145 |
522 |
|
|
2020-03-09 |
2020-03-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system. |
|
16 |
CVE-2019-1003048 |
311 |
|
|
2019-03-28 |
2020-09-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration. |
|
17 |
CVE-2019-1003044 |
352 |
|
CSRF |
2019-03-28 |
2020-06-23 |
2.1 |
None |
Remote |
High |
??? |
Partial |
None |
None |
|
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
18 |
CVE-2019-1003038 |
522 |
|
|
2019-03-08 |
2020-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration. |
|
19 |
CVE-2019-1003017 |
352 |
|
|
2019-02-06 |
2019-10-09 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration. |
|
20 |
CVE-2019-16572 |
522 |
|
|
2019-12-17 |
2019-12-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
21 |
CVE-2019-16543 |
522 |
|
|
2019-11-21 |
2019-12-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
22 |
CVE-2019-10476 |
522 |
|
|
2019-10-23 |
2019-10-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
23 |
CVE-2019-10461 |
522 |
|
|
2019-10-23 |
2019-10-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
24 |
CVE-2019-10460 |
522 |
|
|
2019-10-23 |
2019-10-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
25 |
CVE-2019-10453 |
312 |
|
|
2019-10-16 |
2019-10-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
26 |
CVE-2019-10450 |
312 |
|
|
2019-10-16 |
2019-10-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
27 |
CVE-2019-10433 |
256 |
|
|
2019-10-01 |
2023-01-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. |
|
28 |
CVE-2019-10430 |
312 |
|
|
2019-09-25 |
2019-09-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
29 |
CVE-2019-10429 |
312 |
|
|
2019-09-25 |
2019-09-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
30 |
CVE-2019-10426 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
31 |
CVE-2019-10424 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
32 |
CVE-2019-10423 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
33 |
CVE-2019-10420 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
34 |
CVE-2019-10419 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
35 |
CVE-2019-10398 |
522 |
|
|
2019-09-12 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
36 |
CVE-2019-10397 |
319 |
|
|
2019-09-12 |
2021-10-28 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. |
|
37 |
CVE-2019-10378 |
522 |
|
|
2019-08-07 |
2020-10-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
38 |
CVE-2019-10367 |
532 |
|
|
2019-08-07 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. |
|
39 |
CVE-2019-10364 |
532 |
|
|
2019-07-31 |
2020-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. |
|
40 |
CVE-2019-10361 |
522 |
|
|
2019-07-31 |
2020-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system. |
|
41 |
CVE-2019-10345 |
532 |
|
|
2019-07-31 |
2020-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. |
|
42 |
CVE-2019-10343 |
532 |
|
|
2019-07-31 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. |
|
43 |
CVE-2018-1999041 |
200 |
|
+Info |
2018-08-01 |
2018-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration. |
|
44 |
CVE-2018-1000410 |
200 |
|
+Info |
2019-01-09 |
2019-05-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. |
|
45 |
CVE-2018-1000404 |
522 |
|
|
2018-07-09 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.27 and later. |
|
46 |
CVE-2018-1000403 |
522 |
|
|
2018-07-09 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 1.20 and later. |
|
47 |
CVE-2018-1000401 |
522 |
|
|
2018-07-09 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later. |
|
48 |
CVE-2018-1000150 |
200 |
|
+Info |
2018-04-05 |
2018-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in users. |
|
49 |
CVE-2018-1000143 |
200 |
|
+Info |
2018-04-05 |
2018-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. |
|
50 |
CVE-2018-1000142 |
200 |
|
+Info |
2018-04-05 |
2018-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. |
