Jenkins: Security Vulnerabilities
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-03-05
Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
CVSS Score
6.8
EPSS Score
0.001
Published
2025-01-22
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-01-22
A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-01-22
An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-01-22
Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-01-22
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-01-22
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-01-22
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
CVSS Score
8.0
EPSS Score
0.014
Published
2024-11-27
Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.
CVSS Score
4.3
EPSS Score
0.019
Published
2024-11-27