jenkins · threatengine.sh

CVE-2026-42519

<= 1399.ve6a_66547f6e1

A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read pe

4.3MEDIUM

CVE-2026-33002

>= 2.442 and < 2.555

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of reque

7.5HIGH

CVE-2026-33001

< 2.555

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz

8.8HIGH

CVE-2026-27100

< 2.551

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build

4.3MEDIUM

CVE-2026-27099

>= 2.483 and < 2.551

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided descr

8.0HIGH

CVE-2025-67639

< 2.541

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick

3.5LOW

CVE-2025-67638

< 2.541

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration for

4.3MEDIUM

CVE-2025-67637

< 2.541

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Je

4.3MEDIUM

CVE-2025-67636

< 2.541

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to vie

4.3MEDIUM

CVE-2025-67635

< 2.541

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream b

7.5HIGH

CVE-2025-59476

< 2.528

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-sp

5.3MEDIUM

CVE-2025-59475

< 2.528

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown

4.3MEDIUM

CVE-2025-59474

< 2.528

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally ac

5.3MEDIUM

CVE-2024-9453

all versions

A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a h

6.5MEDIUM

CVE-2025-31721

< 2.504

A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission

4.3MEDIUM

CVE-2025-31720

< 2.504

A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission

4.3MEDIUM

CVE-2025-27625

< 2.500

In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (\) characters are considered safe, all

4.3MEDIUM

CVE-2025-27624

< 2.500

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have u

5.4MEDIUM

CVE-2025-27623

< 2.500

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of view

4.3MEDIUM

CVE-2025-27622

< 2.500

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agen

4.3MEDIUM

CVE-2024-52551

<= 2.2214.vb_b_34b_2ea_9b_83

Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script us

8.0HIGH

CVE-2024-52550

< 3975.3977.v478dd9e956c3

Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (J

8.0HIGH

CVE-2024-52549

< 1362.1364.v4cf2dc5d8776

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, do

4.3MEDIUM

CVE-2024-47804

< 2.479

If an attempt is made to create an item of a type prohibited by ACL#hasCreatePermission2 or `TopLevelItemDescriptor#isApplicable

4.3MEDIUM

CVE-2024-47803

< 2.479

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form s

4.3MEDIUM

CVE-2024-43045

< 2.471

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers wit

6.3MEDIUM

CVE-2024-43044

< 2.471

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file

8.8HIGH

CVE-2024-34145

<= 1335.vf07d9ce377a_e

A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Scrip

8.8HIGH

CVE-2024-34144

<= 1335.vf07d9ce377a_e

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earl

9.8CRITICAL

CVE-2024-23898

>= 2.217 and <= 2.441

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of r

8.8HIGH

CVE-2024-23897

< 2.442

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' chara

9.8CRITICAL

CVE-2023-36478

< 2.428

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 t

7.5HIGH

CVE-2023-44487

<= 2.427

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2023-43498

< 2.424

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary fil

8.1HIGH

CVE-2023-43497

< 2.424

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary f

8.1HIGH

CVE-2023-43496

< 2.424

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default per

8.8HIGH

CVE-2023-43495

< 2.424

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'Expandable

5.4MEDIUM

CVE-2023-43494

>= 2.50 and < 2.424

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variable

4.3MEDIUM

CVE-2023-40341

<= 1.27.5

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to a

8.8HIGH

CVE-2023-39151

<= 2.415

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them

5.4MEDIUM

CVE-2023-37943

<= 2.30

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connecti

5.9MEDIUM

CVE-2023-35141

< 2.400

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If par

8.0HIGH

CVE-2023-32980

<= 2.96

A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop wat

4.3MEDIUM

CVE-2023-32979

<= 2.96

Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers wi

4.3MEDIUM

CVE-2023-32977

<= 1292.v27d8cc3e2602

Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting i

5.4MEDIUM

CVE-2023-27904

< 2.394

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are b

5.3MEDIUM

CVE-2023-27903

< 2.394

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default pe

4.4MEDIUM

CVE-2023-27902

< 2.394

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers w

4.3MEDIUM

CVE-2023-27901

< 2.394

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the nu

7.5HIGH

CVE-2023-27900

< 2.394

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the nu

7.5HIGH

CVE-2023-27899

< 2.394

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default pe

7.0HIGH

CVE-2023-27898

>= 2.270 and < 2.394

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a p

9.6CRITICAL

CVE-2023-25765

< 2.93.1

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protecti

9.9CRITICAL

CVE-2023-25764

< 2.93.1

Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output

5.4MEDIUM

CVE-2023-25763

< 2.93.1

Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a

5.4MEDIUM

CVE-2023-25762

<= 2.18

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Sni

5.4MEDIUM

CVE-2023-24422

< 1229.v4880b_b_e905a_6

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allow

8.8HIGH

CVE-2022-45379

< 1190.v65867a_a_47126

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, ma

7.5HIGH

CVE-2022-43409

<= 838.va_3a_087b_4055b

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks

5.4MEDIUM

CVE-2022-43408

< 2.27

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate U

6.5MEDIUM

CVE-2022-43407

<= 451.vf1a_a_4f405289

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of t

8.8HIGH

CVE-2022-43404

<= 1183.v774b_0b_0a_a_451

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenki

9.9CRITICAL

CVE-2022-43403

<= 1183.v774b_0b_0a_a_451

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b

9.9CRITICAL

CVE-2022-43402

<= 2802.v5ea_628154b_c2

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Gr

9.9CRITICAL

CVE-2022-43401

<= 1183.v774b_0b_0a_a_451

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Secur

9.9CRITICAL

CVE-2022-41224

>= 2.367 and < 2.370

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on t

5.4MEDIUM

CVE-2022-38663

<= 4.11.4

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided

6.5MEDIUM

CVE-2022-36884

<= 4.11.3

The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of

5.3MEDIUM

CVE-2022-36883

<= 4.11.3

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs con

7.5HIGH

CVE-2022-36882

<= 4.11.3

A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of j

8.8HIGH

CVE-2022-2048

< 2.263

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can

7.5HIGH

CVE-2022-34177

<= 448.v37cea_9a_10a_70

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for file parameters for Pipeline `i

7.5HIGH

CVE-2022-34175

>= 2.335 and <= 2.355

Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly acc

7.5HIGH

CVE-2022-34174

<= 2.355

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing be

7.5HIGH

CVE-2022-34173

>= 2.340 and <= 2.355

In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the j

5.4MEDIUM

CVE-2022-34172

>= 2.340 and <= 2.355

In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, res

5.4MEDIUM

CVE-2022-34171

>= 2.321 and <= 2.355

In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for

5.4MEDIUM

CVE-2022-34170

>= 2.320 and <= 2.355

In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape

5.4MEDIUM

CVE-2022-30954

<= 1.25.3

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers wit

6.5MEDIUM

CVE-2022-30953

<= 1.25.3

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to a

6.5MEDIUM

CVE-2022-30952

<= 1.25.3

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credent

6.5MEDIUM

CVE-2022-30947

< 4.11.2

Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on th

7.5HIGH

CVE-2022-30946

< 1172.v35f6a_0b_8207e

A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attac

4.3MEDIUM

CVE-2022-30945

< 2689.v434009a_31b_f1

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkin

8.5HIGH

CVE-2022-29047

< 2.21.3

Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit

5.3MEDIUM

CVE-2022-28158

<= 1.3

A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permiss

6.5MEDIUM

CVE-2022-28157

<= 1.3

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary file

6.5MEDIUM

CVE-2022-28156

<= 1.3

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files

6.5MEDIUM

CVE-2022-28155

<= 1.3

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) a

8.1HIGH

CVE-2022-25184

<= 2.15

Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script u

6.5MEDIUM

CVE-2022-25183

<= 552.vd9cc05b8a2e1

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cach

8.8HIGH

CVE-2022-25182

<= 552.vd9cc05b8a2e1

A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers

8.8HIGH

CVE-2022-25181

<= 552.vd9cc05b8a2e1

A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers

8.8HIGH

CVE-2022-25180

<= 2648.va9433432b33c

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed bu

4.3MEDIUM

CVE-2022-25179

<= 706.vd43c65dec013

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier follows symbolic links to locations outside of the checkout dir

6.5MEDIUM

CVE-2022-25178

<= 552.vd9cc05b8a2e1

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to

6.5MEDIUM

CVE-2022-25177

<= 552.vd9cc05b8a2e1

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the

6.5MEDIUM

CVE-2022-25176

<= 2648.va9433432b33c

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directo

6.5MEDIUM

CVE-2022-25175

<= 706.vd43c65dec013

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the re

8.8HIGH

CVE-2022-25174

<= 552.vd9cc05b8a2e1

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCM

8.8HIGH

CVE-2022-25173

<= 2648.va9433432b33c

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading t

8.8HIGH

CVE-2022-0538

< 2.334

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the prote

7.5HIGH

CVE-2021-43859

< 2.319.3

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote att

7.5HIGH

CVE-2022-23105

<= 2.25

Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Acti

6.5MEDIUM

CVE-2022-20612

<= 2.329

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigge

4.3MEDIUM

CVE-2021-21697

<= 2.318

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored i

9.1CRITICAL

CVE-2021-21696

<= 2.318

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build dire

9.8CRITICAL

CVE-2021-21695

< 2.319

FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.31

8.8HIGH

CVE-2021-21694

< 2.319

FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permi

9.8CRITICAL

CVE-2021-21693

< 2.319

When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenk

9.8CRITICAL

CVE-2021-21692

< 2.319

FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-

9.8CRITICAL

CVE-2021-21691

< 2.319

Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earli

9.8CRITICAL

CVE-2021-21690

< 2.319

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins

9.8CRITICAL

CVE-2021-21689

< 2.319

FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.3

9.1CRITICAL

CVE-2021-21688

< 2.319

The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does no

7.5HIGH

CVE-2021-21687

< 2.319

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchi

9.1CRITICAL

CVE-2021-21686

< 2.319

File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canon

8.1HIGH

CVE-2021-21685

< 2.319

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FileP

9.1CRITICAL

CVE-2021-21684

<= 4.8.2

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displ

6.1MEDIUM

CVE-2021-21683

<= 2.314

The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, r

6.5MEDIUM

CVE-2021-21682

<= 2.314

Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potenti

4.3MEDIUM

CVE-2021-21671

>= 2.266 and < 2.300

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

7.5HIGH

CVE-2021-21670

< 2.300

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have

4.3MEDIUM

CVE-2021-21640

<= 2.286

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing

4.3MEDIUM

CVE-2021-21639

<= 2.286

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted t

4.3MEDIUM

CVE-2021-28165

< 2.286

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a

7.5HIGH

CVE-2021-21615

< 2.276

Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a

5.3MEDIUM

CVE-2021-21611

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page,

5.4MEDIUM

CVE-2021-21610

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview o

6.1MEDIUM

CVE-2021-21609

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths,

5.3MEDIUM

CVE-2021-21608

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scri

5.4MEDIUM

CVE-2021-21607

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allo

6.5MEDIUM

CVE-2021-21606

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for

4.3MEDIUM

CVE-2021-21605

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause J

8.0HIGH

CVE-2021-21604

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inje

8.0HIGH

CVE-2021-21603

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site s

5.4MEDIUM

CVE-2021-21602

<= 2.274

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archiv

6.5MEDIUM

CVE-2020-2303

<= 2.19

A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform

4.3MEDIUM

CVE-2020-2302

<= 2.19

A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to ac

4.3MEDIUM

CVE-2020-2301

<= 2.19

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authe

9.8CRITICAL

CVE-2020-2300

<= 2.19

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows

9.8CRITICAL

CVE-2020-2299

<= 2.19

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the passwor

9.8CRITICAL

CVE-2020-2279

<= 1.74

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandb

9.9CRITICAL

CVE-2020-2255

<= 1.23.2

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connec

4.3MEDIUM

CVE-2020-2254

<= 1.23.2

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job

6.5MEDIUM

CVE-2020-2253

<= 2.75

Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server

4.8MEDIUM

CVE-2020-2251

< 2.236

Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as par

4.3MEDIUM

CVE-2020-2232

all versions

Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins

7.5HIGH

CVE-2020-2231

<= 2.251

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger bu

5.4MEDIUM

CVE-2020-2230

<= 2.251

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored

5.4MEDIUM

CVE-2020-2229

<= 2.251

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-

5.4MEDIUM

CVE-2020-2223

<= 2.244

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs disp

5.4MEDIUM

CVE-2020-2222

<= 2.244

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, re

5.4MEDIUM

CVE-2020-2221

<= 2.244

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause,

5.4MEDIUM

CVE-2020-2220

<= 2.244

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a sto

5.4MEDIUM

CVE-2020-2190

<= 1.72

Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process

5.4MEDIUM

CVE-2020-2166

<= 1.40

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary t

8.8HIGH

CVE-2020-2163

<= 2.227

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a s

5.4MEDIUM

CVE-2020-2162

<= 2.227

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file paramet

5.4MEDIUM

CVE-2020-2161

<= 2.227

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for

5.4MEDIUM

CVE-2020-2160

<= 2.227

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to

8.8HIGH

CVE-2020-2136

<= 4.2.0

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validat

5.4MEDIUM

CVE-2020-2135

<= 1.70

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on object

8.8HIGH

CVE-2020-2134

<= 1.70

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and

8.8HIGH

CVE-2012-0785

< 1.447

Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424

7.5HIGH

CVE-2020-2110

<= 1.69

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by

8.8HIGH

CVE-2020-2109

<= 2.78

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions i

8.8HIGH

CVE-2020-2105

<= 2.218

REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.

5.4MEDIUM

CVE-2020-2104

<= 2.218

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.

4.3MEDIUM

CVE-2020-2103

<= 2.218

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic

5.4MEDIUM

CVE-2020-2102

<= 2.218

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.

5.3MEDIUM

CVE-2020-2101

<= 2.218

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secre

5.3MEDIUM

CVE-2020-2100

<= 2.218

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on po

5.8MEDIUM

CVE-2020-2099

<= 2.218

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3

8.6HIGH

CVE-2019-16538

<= 1.67

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter exp

8.8HIGH

CVE-2012-4441

< 1.482

Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web scr

6.1MEDIUM

CVE-2012-4440

< 1.482

Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web scr

6.1MEDIUM

CVE-2012-4439

< 1.482

Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web scr

6.1MEDIUM

CVE-2012-4438

< 1.482

Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to ins

8.8HIGH

CVE-2019-10431

<= 1.64

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter exp

9.9CRITICAL

CVE-2019-10406

<= 2.196

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuratio

4.8MEDIUM

CVE-2019-10405

<= 2.196

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allo

5.4MEDIUM

CVE-2019-10404

<= 2.196

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting i

5.4MEDIUM

CVE-2019-10403

<= 2.196

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting i

5.4MEDIUM

CVE-2019-10402

<= 2.196

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting

5.4MEDIUM

CVE-2019-10401

<= 2.196

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when e

5.4MEDIUM

CVE-2019-10400

<= 1.62

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in inc

4.2MEDIUM

CVE-2019-10399

<= 1.62

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in pro

4.2MEDIUM

CVE-2019-10394

<= 1.62

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in pro

4.2MEDIUM

CVE-2019-10393

<= 1.62

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in metho

4.2MEDIUM

CVE-2019-10384

<= 2.191

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resul

8.8HIGH

CVE-2019-10383

<= 2.191

A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/A

4.8MEDIUM

CVE-2019-10357

<= 2.14

A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read ac

4.3MEDIUM

CVE-2019-10356

<= 1.61

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expres

8.8HIGH

CVE-2019-10355

<= 1.61

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed at

8.8HIGH

CVE-2019-10354

<= 2.185

A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to acces

4.3MEDIUM

CVE-2019-10353

<= 2.185

CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them t

7.5HIGH

CVE-2019-10352

<= 2.185

A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParame

6.5MEDIUM

CVE-2019-1003050

<= 2.171

The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS

5.4MEDIUM

CVE-2019-1003049

<= 2.171

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authen

8.1HIGH

CVE-2019-10279

all versions

A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation metho

6.5MEDIUM

CVE-2019-10278

all versions

A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form

6.5MEDIUM

CVE-2019-1003061

all versions

Jenkins jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where th

8.8HIGH

CVE-2019-1003041

<= 2.64

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructo

9.8CRITICAL

CVE-2019-1003040

<= 1.55

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructor

9.8CRITICAL

CVE-2019-1003032

<= 2.64

A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/

9.9CRITICAL

CVE-2019-1003030

<= 2.63

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/

9.9CRITICAL

CVE-2019-1003029

<= 1.53

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/sc

9.9CRITICAL

CVE-2019-1003024

<= 1.52

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java tha

8.8HIGH

CVE-2019-1003013

<= 1.10.1

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/i

5.4MEDIUM

CVE-2019-1003012

<= 1.10.1

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartu

6.5MEDIUM

CVE-2019-1003010

<= 3.9.1

A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitT

4.3MEDIUM

CVE-2019-1003009

<= 2.10

An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudso

7.4HIGH

CVE-2019-1003005

<= 1.50

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/sc

8.8HIGH

CVE-2018-1000997

<= 2.145

A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in c

6.5MEDIUM

CVE-2019-1003004

<= 2.159

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/

7.2HIGH

CVE-2019-1003003

<= 2.158

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/

7.2HIGH

CVE-2019-1003002

<= 1.3.3

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groo

8.8HIGH

CVE-2019-1003001

<= 2.61

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/

8.8HIGH

CVE-2019-1003000

<= 1.49

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecu

8.8HIGH

CVE-2018-1000410

<= 2.145

An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used

7.8HIGH

CVE-2018-1000409

<= 2.145

A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/securit

5.4MEDIUM

CVE-2018-1000408

<= 2.145

A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/securi

6.5MEDIUM

CVE-2018-1000407

<= 2.145

A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/mod

6.1MEDIUM

CVE-2018-1000406

<= 2.145

A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Fil

6.5MEDIUM

CVE-2018-1000866

<= 2.59

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groo

8.8HIGH

CVE-2018-1000865

<= 1.47

A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groov

8.8HIGH

CVE-2018-1000864

<= 2.153

A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attacke

6.5MEDIUM

CVE-2018-1000863

<= 2.153

A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that

8.2HIGH

CVE-2018-1000862

<= 2.153

An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java

4.3MEDIUM

CVE-2018-1000861

<= 2.153

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in s

9.8CRITICAL

CVE-2018-1999047

<= 2.137

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows a

6.5MEDIUM

CVE-2018-1999046

<= 2.137

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that a

4.3MEDIUM

CVE-2018-1999045

<= 2.137

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBased

5.4MEDIUM

CVE-2018-1999044

<= 2.137

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers w

6.5MEDIUM

CVE-2018-1999043

<= 2.137

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, Basi

7.5HIGH

CVE-2018-1999042

<= 2.137

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins re

5.3MEDIUM

CVE-2017-2654

< 2.57.1

jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emai

3.7LOW

CVE-2017-2649

<= 2.2

It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Activ

8.1HIGH

CVE-2018-1999007

<= 2.121.1

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/k

5.4MEDIUM

CVE-2018-1999006

<= 2.132

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that all

4.3MEDIUM

CVE-2018-1999005

<= 2.121.1

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTi

5.4MEDIUM

CVE-2018-1999004

<= 2.121.1

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows

4.3MEDIUM

CVE-2018-1999003

<= 2.121.1

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attacker

4.3MEDIUM

CVE-2018-1999002

<= 2.121.1

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/ko

7.5HIGH

CVE-2018-1999001

<= 2.121.1

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java t

8.8HIGH

CVE-2018-1000195

<= 2.120

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.jav

4.3MEDIUM

CVE-2018-1000194

<= 2.120

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java

8.1HIGH

CVE-2018-1000193

<= 2.120

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPri

4.3MEDIUM

CVE-2018-1000192

<= 2.120

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCom

4.3MEDIUM

CVE-2018-1000182

<= 3.9.0

A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBro

6.4MEDIUM

CVE-2017-2598

< 2.44

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the

4.3MEDIUM

CVE-2017-2609

< 2.44

jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385)

4.3MEDIUM

CVE-2017-2607

< 2.44

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-38

4.2MEDIUM

CVE-2017-2613

< 2.44

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only re

5.4MEDIUM

CVE-2017-2610

< 2.44

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly esc

5.4MEDIUM

CVE-2017-2604

< 2.44

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being cons

4.3MEDIUM

CVE-2017-2603

< 2.44

Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sen

2.6LOW

CVE-2017-2602

< 2.44

jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-mast

3.1LOW

CVE-2017-2612

< 2.44

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulti

5.4MEDIUM

CVE-2017-2608

<= 2.44

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of vario

8.8HIGH

CVE-2017-2600

< 2.44

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These include

4.3MEDIUM

CVE-2017-2601

< 2.44

Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURI

5.4MEDIUM

CVE-2017-2606

< 2.44

Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names

4.3MEDIUM

CVE-2017-2611

< 2.44

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The

4.3MEDIUM

CVE-2018-1000176

<= 2.61

An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/h

6.5MEDIUM

CVE-2018-1000170

<= 2.105

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopB

5.4MEDIUM

CVE-2018-1000169

<= 2.105

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java an

5.3MEDIUM

CVE-2017-2599

< 2.44

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to c

5.4MEDIUM

CVE-2018-1000110

<= 3.7.0

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an at

5.3MEDIUM

CVE-2018-6356

< 2.107

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory

6.5MEDIUM

CVE-2018-1000068

<= 2.106

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows a

5.3MEDIUM

CVE-2018-1000067

<= 2.106

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an a

5.3MEDIUM

CVE-2017-1000356

<= 2.56

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authen

8.8HIGH

CVE-2017-1000355

<= 2.56

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instan

6.5MEDIUM

CVE-2017-1000354

<= 2.56

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating

8.8HIGH

CVE-2017-1000353

<= 2.56

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An

9.8CRITICAL

CVE-2017-1000401

<= 2.83

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports for

2.2LOW

CVE-2017-1000400

<= 2.83

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downst

4.3MEDIUM

CVE-2017-1000399

<= 2.83

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (t

4.3MEDIUM

CVE-2017-1000398

<= 2.83

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typic

4.3MEDIUM

CVE-2017-1000396

<= 2.83

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6

5.9MEDIUM

CVE-2017-1000395

<= 2.83

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyo

4.3MEDIUM

CVE-2017-1000394

<= 2.83

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulner

7.5HIGH

CVE-2017-1000393

<= 2.83

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a laun

8.8HIGH

CVE-2017-1000392

<= 2.88

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted

4.8MEDIUM

CVE-2017-1000391

<= 2.88

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accoun

7.3HIGH

CVE-2017-1000505

<= 1.36

In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able

6.5MEDIUM

CVE-2017-1000504

<= 2.94

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of comma

8.1HIGH

CVE-2017-1000503

>= 2.81 and <= 2.94

A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of comm

8.1HIGH

CVE-2017-17383

<= 2.93

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configurat

4.7MEDIUM

CVE-2017-1000110

<= 1.1.5

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and b

4.3MEDIUM

CVE-2017-1000107

all versions

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super const

8.8HIGH

CVE-2017-1000106

<= 1.1.5

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and b

8.5HIGH

CVE-2017-1000105

<= 1.1.5

The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission b

5.3MEDIUM

CVE-2017-1000096

<= 2.36

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initiali

8.8HIGH

CVE-2017-1000095

all versions

The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMeth

6.5MEDIUM

CVE-2017-1000092

all versions

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins bu

7.5HIGH

CVE-2017-1000089

<= 2.5

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other el

5.3MEDIUM

CVE-2014-9635

<= 1.585

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later,

5.3MEDIUM

CVE-2014-9634

<= 1.585

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for

5.3MEDIUM

CVE-2017-1000362

<= 1.498

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also crea

9.8CRITICAL

CVE-2016-3102

all versions

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism v

7.3HIGH

CVE-2016-9299

<= 2.31

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted s

9.8CRITICAL

CVE-2016-3727

<= 2.2

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended

4.3MEDIUM

CVE-2016-3726

<= 2.2

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to ar

7.4HIGH

CVE-2016-3725

<= 2.2

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leverag

4.3MEDIUM

CVE-2016-3724

<= 1.649

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password

6.5MEDIUM

CVE-2016-3723

<= 2.2

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installatio

4.3MEDIUM

CVE-2016-3722

<= 2.2

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (un

4.3MEDIUM

CVE-2016-3721

<= 2.2

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the bui

4.3MEDIUM

CVE-2016-0792

<= 1.649

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbi

8.8HIGH

CVE-2016-0791

<= 1.649

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for

9.8CRITICAL

CVE-2016-0790

<= 1.649

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for r

5.3MEDIUM

CVE-2016-0789

<= 1.649

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attacke

6.1MEDIUM

CVE-2016-0788

<= 1.649

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a

9.8CRITICAL

CVE-2015-7539

<= 1.639

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update

7.5HIGH

CVE-2015-7538

<= 1.639

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors

8.8HIGH

CVE-2015-7537

<= 1.639

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack t

8.8HIGH

CVE-2015-7536

<= 1.639

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to injec

5.4MEDIUM

CVE-2015-8103

< 1.638

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a c

9.8CRITICAL

CVE-2015-5326

<= 1.637

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote a

CVE-2015-5325

<= 1.637

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a

CVE-2015-5324

<= 1.637

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/a

CVE-2015-5323

<= 1.637

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators

CVE-2015-5322

<= 1.637

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory content

CVE-2015-5321

<= 1.637

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attac

CVE-2015-5320

<= 1.637

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows

CVE-2015-5319

<= 1.637

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote

CVE-2015-5318

<= 1.637

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it eas

CVE-2015-5317

<= 1.637

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and bui

7.5HIGH

CVE-2014-3665

<= 1.586

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow

CVE-2015-1814

<= 1.605

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "for

CVE-2015-1813

<= 1.605

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrar

CVE-2015-1812

<= 1.605

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrar

CVE-2015-1810

<= 1.599

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names whe

CVE-2015-1808

<= 1.599

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and t

CVE-2015-1807

<= 1.599

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain pe

CVE-2015-1806

<= 1.599

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job con

CVE-2014-2068

<= 1.550

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remot

CVE-2014-2066

<= 1.550

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via v

CVE-2014-2065

<= 1.550

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrar

CVE-2014-2064

<= 1.550

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2

CVE-2014-2063

<= 1.550

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

CVE-2014-2062

<= 1.550

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenti

CVE-2014-2061

<= 1.550

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain

CVE-2014-2060

<= 1.550

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspe

CVE-2014-2058

<= 1.550

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and ex

CVE-2013-7330

<= 1.501

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-bu

CVE-2014-3680

<= 1.582

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default v

CVE-2014-3667

<= 1.582

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated us

CVE-2014-3666

<= 1.582

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI chan

CVE-2014-3663

<= 1.582

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended

CVE-2014-3662

<= 1.582

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

CVE-2014-3661

<= 1.582

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors

CVE-2014-3681

< 1.583

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrar

CVE-2014-3664

<= 1.582

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overal

CVE-2013-2034

<= 1.513

Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x bef

CVE-2013-2033

< 1.514

Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and

CVE-2014-2067

<= 1.550

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows rem

CVE-2014-2059

<= 1.550

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS befor

CVE-2013-5573

all versions

Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitr

CVE-2013-0331

<= 1.501

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a

CVE-2013-0330

<= 1.501

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to bu

CVE-2013-0329

<= 1.501

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mec

CVE-2013-0328

<= 1.501

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrar

CVE-2013-0327

<= 1.501

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote att

CVE-2013-0158

<= 1.466.2

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and

CVE-2012-6074

<= 1.466.2

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x befor

CVE-2012-6073

<= 1.466.2

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13,

CVE-2012-6072

<= 1.466.2

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13

CVE-2012-0325

all versions

Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x befor

CVE-2012-0324

all versions

Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x befor

CVE-2011-4344

<= 1.437

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-a