CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-34793 611 2022-06-30 2022-07-08
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
2 CVE-2022-34792 352 CSRF 2022-06-30 2022-07-08
6.0
None Remote Medium ??? Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.
3 CVE-2022-34203 352 CSRF 2022-06-23 2022-06-29
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server.
4 CVE-2022-34200 352 CSRF 2022-06-23 2022-10-07
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL.
5 CVE-2022-34181 693 2022-06-23 2022-06-29
6.4
None Remote Low Not required Partial Partial None
Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.
6 CVE-2022-30972 352 CSRF 2022-05-17 2022-05-25
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
7 CVE-2022-30971 611 2022-05-17 2022-05-25
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
8 CVE-2022-30969 352 Exec Code CSRF 2022-05-17 2022-05-25
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.
9 CVE-2022-30958 352 CSRF 2022-05-17 2022-05-25
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
10 CVE-2022-30951 862 2022-05-17 2022-05-26
6.5
None Remote Low ??? Partial Partial Partial
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.
11 CVE-2022-30950 120 Exec Code Overflow 2022-05-17 2022-05-26
6.5
None Remote Low ??? Partial Partial Partial
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library which has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.
12 CVE-2022-30945 2022-05-17 2022-11-16
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
13 CVE-2022-29050 352 CSRF 2022-04-12 2022-04-20
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials.
14 CVE-2022-28150 352 CSRF 2022-03-29 2022-04-05
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and item-specific permissions of a job.
15 CVE-2022-28136 352 CSRF 2022-03-29 2022-04-04
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
16 CVE-2022-27204 352 CSRF 2022-03-15 2022-03-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL.
17 CVE-2022-27198 352 CSRF 2022-03-15 2022-03-23
6.0
None Remote Medium ??? Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.
18 CVE-2022-25212 352 CSRF 2022-02-15 2022-02-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.
19 CVE-2022-25211 862 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server using attacker-specified credentials.
20 CVE-2022-25209 611 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
21 CVE-2022-25208 862 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.
22 CVE-2022-25207 352 CSRF 2022-02-15 2022-02-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.
23 CVE-2022-25206 862 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials.
24 CVE-2022-25205 352 CSRF 2022-02-15 2022-02-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers to connect to an attacker-specified database via JDBC using attacker-specified credentials and to determine if a class is available in the Jenkins instance.
25 CVE-2022-25200 352 CSRF 2022-02-15 2022-02-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
26 CVE-2022-25199 862 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
27 CVE-2022-25198 352 CSRF 2022-02-15 2022-02-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
28 CVE-2022-25194 352 CSRF 2022-02-15 2022-02-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials.
29 CVE-2022-25192 352 CSRF 2022-02-15 2022-10-28
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
30 CVE-2022-25183 Exec Code 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists.
31 CVE-2022-25182 Exec Code Bypass 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller JVM using specially crafted library names if a global Pipeline library is already configured.
32 CVE-2022-25181 Exec Code Bypass 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists.
33 CVE-2022-25175 78 2022-02-15 2022-10-28
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
34 CVE-2022-25174 78 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
35 CVE-2022-25173 78 2022-02-15 2022-02-23
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
36 CVE-2022-20617 78 Exec Code 2022-01-12 2022-01-18
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository.
37 CVE-2021-21697 184 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
38 CVE-2021-21695 59 2021-11-04 2022-10-24
6.8
None Remote Medium Not required Partial Partial Partial
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
39 CVE-2021-21689 2021-11-04 2022-10-24
6.4
None Remote Low Not required Partial Partial None
FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
40 CVE-2021-21687 862 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
41 CVE-2021-21685 862 2021-11-04 2021-11-08
6.4
None Remote Low Not required Partial Partial None
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
42 CVE-2021-21679 Bypass CSRF 2021-08-31 2022-10-25
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
43 CVE-2021-21678 Bypass CSRF 2021-08-31 2022-10-25
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
44 CVE-2021-21677 502 Exec Code 2021-08-31 2021-09-08
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.
45 CVE-2021-21665 352 CSRF 2021-06-10 2021-06-15
6.0
None Remote Medium ??? Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
46 CVE-2021-21658 611 2021-05-25 2021-06-01
6.4
None Remote Low Not required Partial Partial None
Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
47 CVE-2021-21657 611 2021-05-25 2021-06-01
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
48 CVE-2021-21646 693 Exec Code 2021-04-21 2021-04-26
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
49 CVE-2021-21638 352 CSRF 2021-03-30 2021-04-02
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
50 CVE-2021-21633 352 CSRF 2021-03-30 2021-04-02
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
Total number of vulnerabilities : 200   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.