cbcvebase.

Jenkins Project Jenkins vulnerabilities

73 known vulnerabilities affecting jenkins_project/jenkins.

Total CVEs
73
CISA KEV
0
Public exploits
5
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH16MEDIUM46

Vulnerabilities

Page 1 of 4
CVE-2020-2230P3MEDIUMCVSS 5.4PoC≥ unspecified, ≤ 2.2512020-08-12
CVE-2020-2230 [MEDIUM] CWE-79 CVE-2020-2230: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy descr Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
nvd
CVE-2019-10405P3MEDIUMCVSS 5.4PoCv2.196 and earlier, LTS 2.176.3 and earlier2019-09-25
CVE-2019-10405 [MEDIUM] CWE-79 CVE-2019-10405: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request he Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
nvd
CVE-2021-21696P3CRITICALCVSS 9.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21696 [CRITICAL] CVE-2021-21696: Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the lib Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller proce
nvd
CVE-2020-2103P3MEDIUMCVSS 5.4PoC≥ unspecified, ≤ 2.2182020-01-29
CVE-2020-2103 [MEDIUM] CWE-200 CVE-2020-2103: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail ob Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
nvd
CVE-2020-2229P3MEDIUMCVSS 5.4PoC≥ unspecified, ≤ 2.2512020-08-12
CVE-2020-2229 [MEDIUM] CWE-79 CVE-2020-2229: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
nvd
CVE-2020-2231P3MEDIUMCVSS 5.4PoC≥ unspecified, ≤ 2.2512020-08-12
CVE-2020-2231 [MEDIUM] CWE-79 CVE-2020-2231: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host st Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
nvd
CVE-2021-21691P3CRITICALCVSS 9.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21691 [CRITICAL] CWE-59 CVE-2021-21691: Creating symbolic links is possible without the 'symlink' agent-to-controller access control permiss Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
nvd
CVE-2021-21689P3CRITICALCVSS 9.1≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21689 [CRITICAL] CVE-2021-21689: FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenk FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
nvd
CVE-2021-21692P3CRITICALCVSS 9.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21692 [CRITICAL] CWE-22 CVE-2021-21692: FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earli FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
nvd
CVE-2021-21687P3CRITICALCVSS 9.1≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21687 [CRITICAL] CWE-862 CVE-2021-21687: Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to crea Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
nvd
CVE-2021-21685P3CRITICALCVSS 9.1≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21685 [CRITICAL] CWE-862 CVE-2021-21685: Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to crea Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
nvd
CVE-2021-21693P3CRITICALCVSS 9.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21693 [CRITICAL] CWE-863 CVE-2021-21693: When creating temporary files, agent-to-controller access to create those files is only checked afte When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
nvd
CVE-2021-21697P3CRITICALCVSS 9.1≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21697 [CRITICAL] CVE-2021-21697: Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents o Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
nvd
CVE-2021-21690P3CRITICALCVSS 9.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21690 [CRITICAL] CWE-22 CVE-2021-21690: Agent processes are able to completely bypass file path filtering by wrapping the file operation in Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
nvd
CVE-2021-43859P3HIGHCVSS 7.5≥ unspecified, ≤ 2.3332022-02-01
CVE-2021-43859 [HIGH] CWE-400 CVE-2021-43859: XStream is an open source java library to serialize objects to XML and back again. Versions prior to XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors an
nvd
CVE-2021-21695P3HIGHCVSS 8.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21695 [HIGH] CWE-59 CVE-2021-21695: FilePath#listFiles lists files outside directories that agents are allowed to access when following FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
nvd
CVE-2019-10352P3MEDIUMCVSS 6.5v2.185 and earlier, LTS 2.176.1 and earlier2019-07-17
CVE-2019-10352 [MEDIUM] CWE-22 CVE-2019-10352: A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/mai A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
nvd
CVE-2021-21694P3CRITICALCVSS 9.8≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21694 [CRITICAL] CWE-862 CVE-2021-21694: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*Di FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
nvd
CVE-2022-34174P3HIGHCVSS 7.5≥ unspecified, ≤ 2.3552022-06-23
CVE-2022-34174 [HIGH] CWE-203 CVE-2022-34174: In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
nvd
CVE-2023-27898P3CRITICALCVSS 9.6≥ 2.270, < 2.*2023-03-10
CVE-2023-27898 [CRITICAL] CWE-79 CVE-2023-27898: Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide pl
nvd
Jenkins Project Jenkins vulnerabilities | cvebase