Filtered by vendor Jenkins
Subscriptions
Total
1745 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1000861 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2025-11-05 | 9.8 Critical |
| A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | ||||
| CVE-2025-64134 | 1 Jenkins | 2 Jdepend, Jenkins | 2025-11-05 | 7.1 High |
| Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2025-64150 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 5.4 Medium |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2025-64149 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2025-64148 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2025-64147 | 1 Jenkins | 2 Curseforge Publisher, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-64146 | 1 Jenkins | 2 Curseforge Publisher, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2025-64145 | 1 Jenkins | 2 Byteguard Build Actions, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-64144 | 1 Jenkins | 2 Byteguard Build Actions, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2025-64143 | 1 Jenkins | 1 Openshift Pipeline | 2025-11-04 | 4.3 Medium |
| Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2025-64142 | 1 Jenkins | 2 Jenkins, Nexus Task Runner | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2025-64141 | 1 Jenkins | 2 Jenkins, Nexus Task Runner | 2025-11-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2025-64139 | 1 Jenkins | 2 Jenkins, Start Windocks Container | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2025-64138 | 1 Jenkins | 2 Jenkins, Start Windocks Container | 2025-11-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL. | ||||
| CVE-2025-64137 | 1 Jenkins | 2 Jenkins, Themis | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | ||||
| CVE-2025-64136 | 1 Jenkins | 2 Jenkins, Themis | 2025-11-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server. | ||||
| CVE-2025-59476 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 5.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. | ||||
| CVE-2025-59475 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). | ||||
| CVE-2025-59474 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 5.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget. | ||||
| CVE-2025-58460 | 1 Jenkins | 2 Jenkins, Opentelemetry | 2025-11-04 | 4.2 Medium |
| A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||