Jenkins Security Vulnerabilities (CVEs)

This stored cross-site scripting (XSS) vulnerability in Jenkins allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malici...

This vulnerability in Jenkins allows attackers with View/Read permission to view encrypted password values in views. It affects Jenkins 2.540 and earl...

Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) store build authorization tokens unencrypted in job configuration files. This a...

Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) expose build authorization tokens in plain text on job configuration forms. Thi...

A CSRF vulnerability in Jenkins allows attackers to trick authenticated users into logging into the attacker's Jenkins account. This affects Jenkins 2...

This vulnerability in Jenkins Git client Plugin allows attackers who can control workspace directory names to inject arbitrary operating system comman...

This stored XSS vulnerability in Jenkins Coverage Plugin allows attackers with Item/Configure permission to inject malicious JavaScript via the REST A...

The Jenkins HashiCorp Vault Plugin vulnerability allows attackers with Item/Configure permission to access Vault credentials they shouldn't have acces...

The Jenkins Redpen - Pipeline Reporter for Jira Plugin vulnerability allows attackers with Item/Configure permission to bypass path validation and ret...

Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) have a vulnerability where HTTP-based CLI connections aren't properly closed wh...

The Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens in plaintext within job configuration files, allowing users with Item/Extended Read p...

The Jenkins ByteGuard Build Actions Plugin 1.0 fails to mask API tokens in the job configuration form, potentially exposing sensitive credentials to u...

The Jenkins Curseforge Publisher Plugin 1.0 stores API keys in plaintext within job configuration files, allowing users with Item/Extended Read permis...

The Jenkins Curseforge Publisher Plugin 1.0 displays API keys in plain text on job configuration forms instead of masking them. This allows attackers ...

The Jenkins Publish to Bitbucket Plugin before version 0.5 has a missing permission check that allows authenticated attackers with only Overall/Read p...

A CSRF vulnerability in Jenkins Publish to Bitbucket Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-controll...

This vulnerability in Jenkins Publish to Bitbucket Plugin allows attackers with Overall/Read permission to connect to attacker-controlled URLs using s...

The Jenkins Themis Plugin 1.4.1 and earlier contains a missing permission check vulnerability that allows authenticated attackers with Overall/Read pe...

A CSRF vulnerability in Jenkins Start Windocks Containers Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-con...

This vulnerability in Jenkins Start Windocks Containers Plugin allows attackers with Overall/Read permission to connect to arbitrary URLs, potentially...

The Jenkins Azure CLI Plugin vulnerability allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controll...

The Jenkins Nexus Task Runner Plugin before version 0.9.3 has a missing permission check vulnerability. Attackers with Overall/Read permission can for...

The Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job configuration files, allowing users with Item/...

The Jenkins MCP Server Plugin vulnerability allows attackers to bypass permission checks and trigger unauthorized builds or access sensitive job/cloud...

A CSRF vulnerability in Jenkins Extensible Choice Parameter Plugin allows attackers to trick authenticated users into executing sandboxed Groovy code....

Jenkins JDepend Plugin 1.3.1 and earlier contains an XML external entity (XXE) vulnerability due to an outdated JDepend Maven Plugin dependency. This ...

A CSRF vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to trick authenticated users into making unintended requests to attac...

This vulnerability allows attackers without Overall/Read permission in Jenkins to list agent names through the sidepanel executors widget. It affects ...

This vulnerability in Jenkins allows authenticated attackers without Overall/Read permission to obtain limited information about Jenkins configuration...

This vulnerability allows attackers who can control log message content in Jenkins to insert line break characters followed by forged log messages. Th...

This vulnerability in Jenkins Git client Plugin allows attackers with Overall/Read permission to determine whether specific file paths exist on the Je...

The Jenkins global-build-stats plugin has a missing authorization vulnerability in its REST API endpoints. Attackers with Overall/Read permission can ...

The Jenkins OpenTelemetry Plugin vulnerability allows attackers with Overall/Read permission to exfiltrate Jenkins credentials by connecting to attack...

The Jenkins Xooa Plugin 0.0.7 and earlier stores sensitive deployment tokens unencrypted in Jenkins configuration files. This allows attackers with fi...

The Jenkins User1st uTester Plugin 1.1 and earlier stores JWT tokens unencrypted in global configuration files on the Jenkins controller. This allows ...

Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier expose Applitools API keys in plain text on job configuration forms. This allows attackers ...

The Jenkins Dead Man's Snitch Plugin 0.1 stores sensitive authentication tokens unencrypted in job configuration files. This allows users with Item/Ex...

The Jenkins VAddy Plugin 1.2.8 and earlier stores VAddy API authentication keys unencrypted in job configuration files. This allows users with Item/Ex...

The Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores sensitive API keys and encryption keys unencrypted in job configuration files. This allow...

The Jenkins Kryptowire Plugin stores API keys unencrypted in configuration files, allowing attackers with file system access to steal sensitive creden...

The Jenkins Sensedia Api Platform tools Plugin 1.0 fails to mask the Sensedia API Manager integration token on the global configuration form, exposing...

The Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores sensitive credentials unencrypted in job configuration files on the Jenkins con...

Jenkins Applitools Eyes Plugin 1.16.5 and earlier contains a stored cross-site scripting (XSS) vulnerability where the Applitools URL is not properly ...

The Jenkins QMetry Test Management Plugin 1.13 and earlier exposes API keys in plain text on job configuration forms instead of masking them. This all...

The Jenkins IFTTT Build Notifier Plugin stores sensitive IFTTT Maker Channel Keys unencrypted in configuration files, allowing users with Item/Extende...

The Jenkins Apica Loadtest Plugin stores authentication tokens in plaintext within job configuration files, allowing users with Item/Extended Read per...

The Jenkins Credentials Binding Plugin versions 687.v619cb_15e923f and earlier expose sensitive credentials in error messages written to build logs. T...

The Jenkins Git Parameter Plugin vulnerability allows attackers with Item/Build permission to inject arbitrary values into Git parameters by bypassing...

The Jenkins Statistics Gatherer Plugin stores AWS Secret Keys unencrypted in global configuration files, allowing attackers with file system access to...

The Jenkins Gatling Plugin 136.vb_9009b_3d33a_e has a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into ...