Filtered by vendor Jenkins
Subscriptions
Filtered by product Jenkins
Subscriptions
Total
286 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64145 | 1 Jenkins | 2 Byteguard Build Actions, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-64144 | 1 Jenkins | 2 Byteguard Build Actions, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2025-64142 | 1 Jenkins | 2 Jenkins, Nexus Task Runner | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2025-64141 | 1 Jenkins | 2 Jenkins, Nexus Task Runner | 2025-11-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2025-64139 | 1 Jenkins | 2 Jenkins, Start Windocks Container | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2025-64138 | 1 Jenkins | 2 Jenkins, Start Windocks Container | 2025-11-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL. | ||||
| CVE-2025-64137 | 1 Jenkins | 2 Jenkins, Themis | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | ||||
| CVE-2025-64136 | 1 Jenkins | 2 Jenkins, Themis | 2025-11-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server. | ||||
| CVE-2025-59476 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 5.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. | ||||
| CVE-2025-59475 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). | ||||
| CVE-2025-59474 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 5.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget. | ||||
| CVE-2025-58460 | 1 Jenkins | 2 Jenkins, Opentelemetry | 2025-11-04 | 4.2 Medium |
| A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2025-58459 | 1 Jenkins | 3 Global-build-stats, Global Build Stats, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. | ||||
| CVE-2021-43859 | 6 Debian, Fedoraproject, Jenkins and 3 more | 14 Debian Linux, Fedora, Jenkins and 11 more | 2025-11-03 | 7.5 High |
| XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible. | ||||
| CVE-2024-23897 | 2 Jenkins, Redhat | 2 Jenkins, Ocp Tools | 2025-10-24 | 9.8 Critical |
| Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2015-5317 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-10-22 | 7.5 High |
| The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request. | ||||
| CVE-2021-28165 | 5 Eclipse, Jenkins, Netapp and 2 more | 28 Jetty, Jenkins, Cloud Manager and 25 more | 2025-08-27 | 7.5 High |
| In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | ||||
| CVE-2025-27622 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 4.3 Medium |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. | ||||
| CVE-2025-27623 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 4.3 Medium |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets. | ||||
| CVE-2025-27624 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets). | ||||