📦 Jenkins
by Jenkins
🔍 What is Jenkins?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
This vulnerability in Jenkins allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system by exploiting a CLI command parser feature that replaces '@' characters fol...
This stored cross-site scripting (XSS) vulnerability in Jenkins allows attackers to inject malicious scripts into error messages about plugin incompatibility. Attackers who can provide plugins to Jenk...
This vulnerability in Jenkins allows agents to create arbitrary symbolic links on the controller file system during archive extraction. Attackers with agent access can potentially write files anywhere...
This vulnerability in Jenkins allows agents to bypass access controls and execute arbitrary file operations on the controller's filesystem. It affects Jenkins instances with agent-to-controller securi...
This vulnerability allows Jenkins agents to create symbolic links on the controller without proper permission checks. Attackers with agent access can potentially write arbitrary files to sensitive loc...
This vulnerability in Jenkins allows agents to create temporary files on the controller before access controls are checked, enabling unauthorized file operations. It affects Jenkins 2.318 and earlier,...
This vulnerability allows attackers controlling Jenkins agent processes to replace trusted library files in the libs/ directory, leading to unauthenticated remote code execution on the Jenkins control...
This vulnerability in Jenkins allows agents to create arbitrary directories on the controller's filesystem without proper access control. Attackers with agent access can potentially write files anywhe...
This stored cross-site scripting (XSS) vulnerability in Jenkins allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the 'Mark temporarily offline' de...
Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) have a vulnerability where HTTP-based CLI connections aren't properly closed when corrupted, allowing unauthenticated attackers t...
This CVE describes an integer overflow vulnerability in Eclipse Jetty's HTTP/2 HPACK header processing. Attackers can send specially crafted HTTP/2 requests with large header values that bypass size l...
CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server resources. This affects any system using HTTP/2, incl...
This vulnerability in Jenkins allows attackers with access to the system temporary directory to replace plugin files during installation from a URL, potentially leading to arbitrary code execution. It...
This vulnerability in Jenkins allows attackers with file system access to read and write temporary files created during file uploads before Jenkins processes them. It affects Jenkins 2.423 and earlier...
This is a Cross-Site Request Forgery (CSRF) vulnerability in Jenkins where insufficient URL escaping allows attackers to trick authenticated users into sending unauthorized POST requests by opening co...
This vulnerability in Jenkins allows attackers to cause denial of service by exploiting improper request handling in the Apache Commons FileUpload library. Attackers can send specially crafted multipa...
This vulnerability in Eclipse Jetty's HTTP/2 server implementation allows attackers to cause denial of service by sending invalid HTTP/2 requests that trigger resource cleanup failures. The bug preven...
This vulnerability in Jenkins creates a timing side-channel in the login form that allows attackers to distinguish between invalid usernames and valid usernames with incorrect passwords. This enables ...
This vulnerability in Jenkins allows agents to access files outside their permitted directories by exploiting symbolic links. Attackers can read sensitive files on the Jenkins controller, potentially ...
Jenkins 2.299 and earlier, including LTS 2.289.1 and earlier, fails to invalidate previous user sessions upon login. This allows attackers who have obtained a valid session cookie to maintain access e...
This vulnerability in Eclipse Jetty allows denial-of-service attacks by causing 100% CPU usage when processing large invalid TLS frames. Attackers can exploit this to make affected servers unresponsiv...
This vulnerability in Jenkins allows attackers with View/Read permission to view encrypted password values in views. It affects Jenkins 2.540 and earlier, and LTS 2.528.2 and earlier. Users with limit...
Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) store build authorization tokens unencrypted in job configuration files. This allows users with Item/Extended Read permission or ...
Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) expose build authorization tokens in plain text on job configuration forms. This allows attackers with access to these forms to c...
This vulnerability allows attackers without Overall/Read permission in Jenkins to list agent names through the sidepanel executors widget. It affects Jenkins 2.527 and earlier, and LTS 2.516.2 and ear...
This vulnerability in Jenkins allows authenticated attackers without Overall/Read permission to obtain limited information about Jenkins configuration through the user profile dropdown menu. Attackers...
This vulnerability allows attackers who can control log message content in Jenkins to insert line break characters followed by forged log messages. This could mislead administrators reviewing log outp...
This vulnerability allows attackers with Computer/Create permission in Jenkins to copy agent configurations and access encrypted secrets they shouldn't have permission to view. It affects Jenkins 2.50...
This CSRF vulnerability in Jenkins allows attackers to trick authenticated users into toggling the collapsed/expanded status of sidepanel widgets like Build Queue and Build Executor Status. It affects...
This vulnerability in Jenkins allows attackers with Agent/Extended Read permission to view encrypted secrets stored in agent configuration files via REST API or CLI access. It affects Jenkins 2.499 an...
Jenkins versions 2.478 and earlier (including LTS 2.462.2 and earlier) fail to properly redact multi-line secret values in error messages when form submissions involve the secretTextarea field. This a...
This vulnerability in Jenkins allows attackers with Overall/Read permission to access other users' 'My Views' without proper authorization. It affects Jenkins versions 2.470 and earlier, and LTS 2.452...
A CSRF vulnerability in Jenkins allows attackers to trick authenticated users into logging into the attacker's Jenkins account. This affects Jenkins 2.540 and earlier, and Jenkins LTS 2.528.2 and earl...