CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins » Jenkins » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-34175 863 Bypass 2022-06-23 2022-06-29
5.0
None Remote Low Not required Partial None None
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
2 CVE-2022-34173 79 XSS 2022-06-23 2022-06-30
4.3
None Remote Medium Not required None Partial None
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
3 CVE-2022-34172 79 XSS 2022-06-23 2022-06-30
4.3
None Remote Medium Not required None Partial None
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
4 CVE-2021-28165 755 2021-04-01 2022-07-29
7.8
None Remote Low Not required None None Complete
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
5 CVE-2019-1003050 79 XSS 2019-04-10 2022-06-13
3.5
None Remote Medium ??? None Partial None
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
6 CVE-2019-1003049 613 2019-04-10 2022-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
7 CVE-2019-10384 352 Bypass CSRF 2019-08-28 2022-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
8 CVE-2019-10383 79 XSS 2019-08-28 2022-06-13
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
9 CVE-2018-1999007 79 XSS 2018-07-23 2022-06-13
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.
10 CVE-2018-1999005 79 XSS 2018-07-23 2022-06-13
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
11 CVE-2018-1999004 863 2018-07-23 2022-06-13
4.0
None Remote Low ??? None None Partial
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.
12 CVE-2018-1999003 863 2018-07-23 2022-06-13
4.0
None Remote Low ??? None Partial None
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.
13 CVE-2018-1999002 2018-07-23 2022-06-13
5.0
None Remote Low Not required Partial None None
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
14 CVE-2018-1999001 2018-07-23 2022-06-13
4.3
None Remote Medium Not required Partial None None
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
15 CVE-2018-1000195 352 2018-06-05 2022-06-13
4.3
None Remote Medium Not required Partial None None
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
16 CVE-2018-1000194 22 Dir. Trav. Bypass 2018-06-05 2022-06-13
5.5
None Remote Low ??? Partial Partial None
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
17 CVE-2018-1000193 74 2018-06-05 2022-06-13
4.0
None Remote Low ??? None Partial None
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
18 CVE-2018-1000192 2018-06-05 2022-06-13
4.0
None Remote Low ??? Partial None None
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
19 CVE-2018-1000068 200 +Info 2018-02-16 2022-06-13
5.0
None Remote Low Not required Partial None None
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
20 CVE-2018-1000067 918 2018-02-16 2022-06-13
5.0
None Remote Low Not required Partial None None
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
21 CVE-2018-6356 22 Dir. Trav. 2018-02-20 2022-06-13
4.0
None Remote Low ??? Partial None None
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
22 CVE-2017-1000503 362 Exec Code 2018-01-24 2018-02-12
6.8
None Remote Medium Not required Partial Partial Partial
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.
23 CVE-2017-1000362 200 +Info 2017-07-17 2017-07-26
5.0
None Remote Low Not required Partial None None
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.
24 CVE-2017-1000356 352 2018-01-29 2018-02-15
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.
25 CVE-2017-1000355 502 2018-01-29 2018-02-15
4.0
None Remote Low ??? None None Partial
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
26 CVE-2017-1000354 287 2018-01-29 2018-02-15
6.5
None Remote Low ??? Partial Partial Partial
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
27 CVE-2017-1000353 502 Exec Code Bypass 2018-01-29 2022-06-13
7.5
None Remote Low Not required Partial Partial Partial
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
28 CVE-2017-17383 79 XSS 2017-12-06 2017-12-22
3.5
None Remote Medium ??? None Partial None
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
29 CVE-2017-2613 352 CSRF 2018-05-15 2019-10-09
5.8
None Remote Medium Not required None Partial Partial
jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).
30 CVE-2017-2612 732 2018-05-15 2019-10-09
5.5
None Remote Low ??? None Partial Partial
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
31 CVE-2017-2611 863 2018-05-08 2020-09-09
4.0
None Remote Low ??? None None Partial
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
32 CVE-2017-2610 79 XSS 2018-05-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
33 CVE-2017-2609 200 +Info 2018-05-22 2019-10-09
4.0
None Remote Low ??? Partial None None
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
34 CVE-2017-2608 502 Exec Code 2018-05-15 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
35 CVE-2017-2607 79 XSS 2018-05-21 2019-10-09
3.5
None Remote Medium ??? None Partial None
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
36 CVE-2017-2606 200 +Info 2018-05-08 2019-10-09
4.0
None Remote Low ??? Partial None None
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
37 CVE-2017-2604 287 2018-05-15 2019-10-09
4.0
None Remote Low ??? None Partial None
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
38 CVE-2017-2603 200 +Info 2018-05-15 2019-10-09
3.5
None Remote Medium ??? Partial None None
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
39 CVE-2017-2602 2018-05-15 2019-10-09
4.0
None Remote Low ??? None Partial None
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).
40 CVE-2017-2601 79 XSS 2018-05-10 2022-06-30
3.5
None Remote Medium ??? None Partial None
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
41 CVE-2017-2600 200 +Info 2018-05-15 2019-10-09
4.0
None Remote Low ??? Partial None None
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).
42 CVE-2017-2599 863 2018-04-11 2020-12-04
5.5
None Remote Low ??? Partial Partial None
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).
43 CVE-2017-2598 326 2018-05-23 2019-10-09
4.0
None Remote Low ??? Partial None None
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
44 CVE-2016-3727 200 +Info 2016-05-17 2018-01-05
4.0
None Remote Low ??? Partial None None
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
45 CVE-2016-3726 2016-05-17 2018-01-05
5.8
None Remote Medium Not required Partial Partial None
Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.
46 CVE-2016-3725 264 DoS 2016-05-17 2018-01-05
5.0
None Remote Low Not required None Partial None
Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).
47 CVE-2016-3724 200 +Info 2016-05-17 2018-01-05
4.0
None Remote Low ??? Partial None None
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.
48 CVE-2016-3723 200 +Info 2016-05-17 2018-01-05
4.0
None Remote Low ??? Partial None None
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
49 CVE-2016-3722 264 DoS 2016-05-17 2018-01-05
4.0
None Remote Low ??? None None Partial
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."
50 CVE-2016-3721 17 2016-05-17 2018-01-05
4.0
None Remote Low ??? None Partial None
Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.
Total number of vulnerabilities : 110   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.