Cross-site Scripting XSS

CVE-2020-2256 (v3: 5.4) 16 Sep 2020
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2257 (v3: 5.4) 16 Sep 2020
Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2259 (v3: 5.4) 16 Sep 2020
Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
CVE-2020-2262 (v3: 5.4) 16 Sep 2020
Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
CVE-2020-2263 (v3: 5.4) 16 Sep 2020
Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2264 (v3: 5.4) 16 Sep 2020
Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2266 (v3: 5.4) 16 Sep 2020
Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2269 (v3: 5.4) 16 Sep 2020
Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.
CVE-2020-2270 (v3: 5.4) 16 Sep 2020
Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2190 (v3: 5.4) 3 Jun 2020
Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.
CVE-2020-2193 (v3: 5.4) 3 Jun 2020
Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability.
CVE-2020-2194 (v3: 5.4) 3 Jun 2020
Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability.
CVE-2020-2195 (v3: 5.4) 3 Jun 2020
Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
CVE-2020-2199 (v3: 6.1) 3 Jun 2020
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
CVE-2020-2173 (v3: 5.4) 7 Apr 2020
Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.
CVE-2020-2174 (v3: 6.1) 7 Apr 2020
Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.
CVE-2020-2175 (v3: 5.4) 7 Apr 2020
Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.
CVE-2020-2176 (v3: 5.4) 7 Apr 2020
Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.
CVE-2020-2161 (v3: 5.4) 25 Mar 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
CVE-2020-2162 (v3: 5.4) 25 Mar 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
CVE-2020-2163 (v3: 5.4) 25 Mar 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.
CVE-2020-2169 (v3: 6.1) 25 Mar 2020
A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.
CVE-2020-2170 (v3: 5.4) 25 Mar 2020
Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.
CVE-2020-2136 (v3: 5.4) 9 Mar 2020
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
CVE-2020-2137 (v3: 4.8) 9 Mar 2020
Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
CVE-2020-2140 (v3: 6.1) 9 Mar 2020
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
CVE-2020-2152 (v3: 6.1) 9 Mar 2020
Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
CVE-2020-2111 (v3: 5.4) 12 Feb 2020
Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.
CVE-2020-2112 (v3: 5.4) 12 Feb 2020
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
CVE-2020-2113 (v3: 5.4) 12 Feb 2020
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
CVE-2020-2122 (v3: 5.4) 12 Feb 2020
Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.
CVE-2020-2106 (v3: 5.4) 29 Jan 2020
Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.
CVE-2020-2096 (v3: 6.1) 15 Jan 2020
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
CVE-2019-16562 (v3: 5.4) 17 Dec 2019
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.
CVE-2019-16563 (v3: 5.4) 17 Dec 2019
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
CVE-2019-16564 (v3: 5.4) 17 Dec 2019
Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.
CVE-2012-4440 (v3: 6.1) 18 Nov 2019
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin.
CVE-2012-4441 (v3: 6.1) 18 Nov 2019
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2012-4439 (v3: 6.1) 18 Nov 2019
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.
CVE-2019-10475 (v3: 6.1) 23 Oct 2019
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
CVE-2019-10432 (v3: 5.4) 1 Oct 2019
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
CVE-2019-10401 (v3: 5.4) 25 Sep 2019
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
CVE-2019-10402 (v3: 5.4) 25 Sep 2019
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.
CVE-2019-10403 (v3: 5.4) 25 Sep 2019
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.
CVE-2019-10404 (v3: 5.4) 25 Sep 2019
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
CVE-2019-10406 (v3: 4.8) 25 Sep 2019
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
CVE-2019-10410 (v3: 5.4) 25 Sep 2019
Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.
CVE-2019-10395 (v3: 5.4) 12 Sep 2019
Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties.
CVE-2019-10396 (v3: 5.4) 12 Sep 2019
Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions.
CVE-2019-10383 (v3: 4.8) 28 Aug 2019
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

Bounds of a Memory Buffer

Improper Input Validation

CVE-2020-2166 (v3: 8.8) 25 Mar 2020
Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
CVE-2020-2167 (v3: 8.8) 25 Mar 2020
Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
CVE-2020-2168 (v3: 8.8) 25 Mar 2020
Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
CVE-2020-2109 (v3: 9.9) 12 Feb 2020
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
CVE-2020-2110 (v3: 9.9) 12 Feb 2020
Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.
CVE-2012-4438 (v3: 8.8) 18 Nov 2019
Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.
CVE-2019-10458 (v3: 9.9) 16 Oct 2019
Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
CVE-2019-10393 (v3: 9.8) 12 Sep 2019
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10394 (v3: 9.8) 12 Sep 2019
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10399 (v3: 9.8) 12 Sep 2019
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10400 (v3: 9.8) 12 Sep 2019
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10390 (v3: 8.8) 28 Aug 2019
A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10358 (v3: 6.5) 31 Jul 2019
Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log.
CVE-2019-10362 (v3: 5.4) 31 Jul 2019
Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.
CVE-2019-1003011 (v3: 8.1) 6 Feb 2019
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.
CVE-2018-1999037 (v3: 4.3) 1 Aug 2018
A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource.
CVE-2018-1999001 (v3: 8.8) 23 Jul 2018
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
CVE-2018-1999002 (v3: 7.5) 23 Jul 2018
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
CVE-2018-1000607 (v3: 6.5) 26 Jun 2018
A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as.
CVE-2017-1000401 (v3: 2.2) 26 Jan 2018
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.
CVE-2017-1000402 (v3: 5.9) 26 Jan 2018
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
CVE-2017-1000391 (v3: 7.3) 26 Jan 2018
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.
CVE-2017-1000394 (v3: 7.5) 26 Jan 2018
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.
CVE-2017-1000397 (v3: 5.9) 26 Jan 2018
Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.
CVE-2016-0789 (v3: 6.1) 7 Apr 2016
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2016-0792 (v3: 8.8) 7 Apr 2016
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
CVE-2015-1808 (v2: 3.5) 16 Oct 2015
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.
CVE-2013-0331 (v2: 4) 19 Mar 2013
Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.
CVE-2012-6072 (v2: 4.3) 24 Feb 2013
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2012-6073 (v2: 5.8) 24 Feb 2013
Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Exposure to Unauthorized Actor

CVE-2020-2103 (v3: 5.4) 29 Jan 2020
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
CVE-2019-10436 (v3: 6.5) 16 Oct 2019
An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master.
CVE-2019-10405 (v3: 4.3) 25 Sep 2019
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
CVE-2019-10407 (v3: 6.5) 25 Sep 2019
Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.
CVE-2019-10391 (v3: 6.5) 28 Aug 2019
Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
CVE-2019-10375 (v3: 6.5) 7 Aug 2019
An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master.
CVE-2019-10363 (v3: 4.9) 31 Jul 2019
Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form.
CVE-2019-10364 (v3: 5.5) 31 Jul 2019
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.
CVE-2019-10365 (v3: 4.3) 31 Jul 2019
Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission.
CVE-2019-10354 (v3: 4.3) 17 Jul 2019
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
CVE-2019-10341 (v3: 6.5) 11 Jul 2019
A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10342 (v3: 4.3) 11 Jul 2019
A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
CVE-2019-10348 (v3: 8.8) 11 Jul 2019
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10350 (v3: 8.8) 11 Jul 2019
Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10351 (v3: 8.8) 11 Jul 2019
Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10333 (v3: 4.3) 11 Jun 2019
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances.
CVE-2019-1003045 (v3: 6.5) 28 Mar 2019
A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration.
CVE-2019-1003035 (v3: 4.3) 8 Mar 2019
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration.
CVE-2019-1003037 (v3: 6.5) 8 Mar 2019
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2019-1003025 (v3: 8.8) 20 Feb 2019
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-1003018 (v3: 4.3) 6 Feb 2019
An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
CVE-2019-1003021 (v3: 4.3) 6 Feb 2019
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
CVE-2018-1000410 (v3: 7.8) 9 Jan 2019
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.
CVE-2018-1000419 (v3: 6.5) 9 Jan 2019
An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.
CVE-2018-1000862 (v3: 4.3) 10 Dec 2018
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.
CVE-2018-1999046 (v3: 4.3) 23 Aug 2018
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.
CVE-2017-2654 (v3: 5.3) 6 Aug 2018
jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
CVE-2018-1999028 (v3: 8.8) 1 Aug 2018
An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
CVE-2018-1999030 (v3: 5.4) 1 Aug 2018
An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
CVE-2018-1999031 (v3: 6.5) 1 Aug 2018
An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration.
CVE-2018-1999033 (v3: 6.5) 1 Aug 2018
An exposure of sensitive information vulnerability exists in Jenkins Anchore Container Image Scanner Plugin 10.16 and earlier in AnchoreBuilder.java that allows attackers with Item/ExtendedRead permission or file system access to the Jenkins master to obtain the password stored in this plugin's configuration.
CVE-2018-1999040 (v3: 8.8) 1 Aug 2018
An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
CVE-2018-1999041 (v3: 5.5) 1 Aug 2018
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.
CVE-2017-2651 (v3: 3.7) 27 Jul 2018
jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
CVE-2018-1999006 (v3: 4.3) 23 Jul 2018
A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.
CVE-2018-1000402 (v3: 4.3) 9 Jul 2018
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later.
CVE-2018-1000600 (v3: 8.8) 26 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2018-1000601 (v3: 6.5) 26 Jun 2018
A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system.
CVE-2018-1000603 (v3: 8.8) 26 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in BootSource.java, InstancesToRun.java, JCloudsCleanupThread.java, JCloudsCloud.java, JCloudsComputer.java, JCloudsPreCreationThread.java, JCloudsRetentionStrategy.java, JCloudsSlave.java, JCloudsSlaveTemplate.java, LauncherFactory.java, OpenstackCredentials.java, OpenStackMachineStep.java, SlaveOptions.java, SlaveOptionsDescriptor.java that allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
CVE-2018-1000609 (v3: 6.5) 26 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration.
CVE-2018-1000192 (v3: 4.3) 5 Jun 2018
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
CVE-2018-1000196 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.
CVE-2018-1000183 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2018-1000186 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2018-1000187 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
CVE-2018-1000190 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2018-1000191 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Black Duck Detect Plugin 1.4.0 and older in DetectPostBuildStepDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2017-2609 (v3: 4.3) 22 May 2018
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
CVE-2017-2603 (v3: 3.5) 15 May 2018
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
CVE-2017-2600 (v3: 4.3) 15 May 2018
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

Improper SQL ('SQL Injection')

Out-of-bounds Read

Cross-Site Request Forgery (CSRF)

CVE-2020-2192 (v3: 6.5) 3 Jun 2020
A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.
CVE-2020-2196 (v3: 8) 3 Jun 2020
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
CVE-2020-2184 (v3: 4.3) 6 May 2020
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
CVE-2020-2186 (v3: 4.3) 6 May 2020
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
CVE-2020-2160 (v3: 8.8) 25 Mar 2020
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
CVE-2020-2141 (v3: 4.3) 9 Mar 2020
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.
CVE-2020-2147 (v3: 4.3) 9 Mar 2020
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
CVE-2020-2116 (v3: 8.8) 12 Feb 2020
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2020-2090 (v3: 8.8) 15 Jan 2020
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
CVE-2020-2093 (v3: 8.8) 15 Jan 2020
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.
CVE-2020-2098 (v3: 8.8) 15 Jan 2020
A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins.
CVE-2019-16550 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.
CVE-2019-16551 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials.
CVE-2019-16553 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression.
CVE-2019-16560 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.
CVE-2019-16565 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-16569 (v3: 4.3) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.
CVE-2019-16570 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server.
CVE-2019-16573 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-16575 (v3: 8.8) 17 Dec 2019
A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins.
CVE-2019-16548 (v3: 8.8) 21 Nov 2019
A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents.
CVE-2019-10462 (v3: 8.1) 23 Oct 2019
A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2019-10464 (v3: 8.8) 23 Oct 2019
A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.
CVE-2019-10468 (v3: 8.8) 23 Oct 2019
A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10471 (v3: 8.8) 23 Oct 2019
A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10437 (v3: 8.8) 16 Oct 2019
A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10441 (v3: 4.3) 16 Oct 2019
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2019-10454 (v3: 4.3) 16 Oct 2019
A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2019-10456 (v3: 4.3) 16 Oct 2019
A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2019-10408 (v3: 4.3) 25 Sep 2019
A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.
CVE-2019-10384 (v3: 8.8) 28 Aug 2019
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CVE-2019-10368 (v3: 8.8) 7 Aug 2019
A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10386 (v3: 8.8) 7 Aug 2019
A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10388 (v3: 4.3) 7 Aug 2019
A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.
CVE-2019-10359 (v3: 6.3) 31 Jul 2019
A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.
CVE-2019-10353 (v3: 7.5) 17 Jul 2019
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
CVE-2019-10340 (v3: 8.8) 11 Jul 2019
A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10331 (v3: 4.3) 11 Jun 2019
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2019-10338 (v3: 8.8) 11 Jun 2019
A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials.
CVE-2019-10321 (v3: 4.3) 31 May 2019
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10324 (v3: 6.5) 31 May 2019
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.
CVE-2019-10326 (v3: 4.3) 31 May 2019
A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds.
CVE-2019-10307 (v3: 6.5) 30 Apr 2019
A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.
CVE-2019-10310 (v3: 8.8) 30 Apr 2019
A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins
CVE-2019-10315 (v3: 8.8) 30 Apr 2019
Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.
CVE-2019-10300 (v3: 8) 18 Apr 2019
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-10304 (v3: 6.5) 18 Apr 2019
A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.
CVE-2019-10278 (v3: 6.5) 4 Apr 2019
A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
CVE-2019-10289 (v3: 6.5) 4 Apr 2019
A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.
CVE-2019-10292 (v3: 6.5) 4 Apr 2019
A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.

Path Traversal

CVE-2020-2139 (v3: 6.5) 9 Mar 2020
An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system.
CVE-2019-16540 (v3: 6.5) 21 Nov 2019
A path traversal vulnerability in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete arbitrary files on the Jenkins master.
CVE-2019-10352 (v3: 6.5) 17 Jul 2019
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
CVE-2018-1000997 (v3: 6.5) 23 Jan 2019
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.
CVE-2018-1000406 (v3: 6.5) 9 Jan 2019
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
CVE-2018-1000863 (v3: 8.2) 10 Dec 2018
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
CVE-2018-1000194 (v3: 8.1) 5 Jun 2018
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
CVE-2018-1000175 (v3: 6.5) 8 May 2018
A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override arbitrary files on the Jenkins master.
CVE-2018-6356 (v3: 6.5) 20 Feb 2018
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
CVE-2016-4986 (v3: 7.5) 9 Feb 2017
Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter.
CVE-2016-4987 (v3: 6.5) 9 Feb 2017
Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields.
CVE-2015-1807 (v2: 3.5) 16 Oct 2015
Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.
CVE-2014-3664 (v2: 4) 15 Oct 2014
Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.
CVE-2014-2059 (v2: 6.5) 1 Mar 2014
Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Improper Access Control

CVE-2019-10330 (v3: 7.5) 31 May 2019
Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.
CVE-2019-1003006 (v3: 8.8) 6 Feb 2019
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Use After Free