Jenkins: Security Vulnerabilities
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-02-12
Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.
CVSS Score
8.8
EPSS Score
0.013
Published
2020-02-12
Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.
CVSS Score
5.4
EPSS Score
0.001
Published
2020-02-12
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
CVSS Score
5.4
EPSS Score
0.001
Published
2020-02-12
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
CVSS Score
5.4
EPSS Score
0.001
Published
2020-02-12
Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-02-12
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
CVSS Score
8.6
EPSS Score
0.012
Published
2020-01-29
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
CVSS Score
5.8
EPSS Score
0.011
Published
2020-01-29
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
CVSS Score
5.3
EPSS Score
0.024
Published
2020-01-29
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
CVSS Score
5.3
EPSS Score
0.022
Published
2020-01-29