Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Filtered by product Jenkins
Total 246 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-2231 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
CVE-2020-2221 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
CVE-2020-2222 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
CVE-2012-0785 2 Cloudbees, Jenkins 2 Jenkins, Jenkins 2024-02-28 7.8 HIGH 7.5 HIGH
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack."
CVE-2020-2103 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 5.4 MEDIUM
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
CVE-2020-2100 1 Jenkins 1 Jenkins 2024-02-28 5.0 MEDIUM 5.8 MEDIUM
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
CVE-2019-10405 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
CVE-2012-4441 1 Jenkins 1 Jenkins 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2012-4440 1 Jenkins 1 Jenkins 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin.
CVE-2019-10404 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
CVE-2012-4438 1 Jenkins 1 Jenkins 2024-02-28 6.5 MEDIUM 8.8 HIGH
Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.
CVE-2020-2101 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.3 MEDIUM
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
CVE-2020-2105 1 Jenkins 1 Jenkins 2024-02-28 4.3 MEDIUM 5.4 MEDIUM
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
CVE-2019-10403 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.
CVE-2019-10402 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.
CVE-2019-10401 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
CVE-2012-4439 1 Jenkins 1 Jenkins 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.
CVE-2020-2104 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.
CVE-2020-2099 1 Jenkins 1 Jenkins 2024-02-28 7.5 HIGH 8.6 HIGH
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
CVE-2019-10406 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 4.8 MEDIUM
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.