| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
| Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. |
| Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. |
| Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. |
| A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL. |
| A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server. |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget. |
| A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
| Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. |
