Jenkins Project Jenkins vulnerabilities
73 known vulnerabilities affecting jenkins_project/jenkins.
Total CVEs
73
CISA KEV
0
Public exploits
5
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH16MEDIUM46
Vulnerabilities
Page 2 of 4
CVE-2020-2099P3HIGHCVSS 8.6≥ unspecified, ≤ 2.2132020-01-29
CVE-2020-2099 [HIGH] CWE-330 CVE-2020-2099: Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in th
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
nvd
CVE-2021-21686P3HIGHCVSS 8.1≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21686 [HIGH] CWE-59 CVE-2021-21686: File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.
File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.
nvd
CVE-2021-21688P3HIGHCVSS 7.5≥ unspecified, ≤ 2.3182021-11-04
CVE-2021-21688 [HIGH] CWE-862 CVE-2021-21688: The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, L
The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).
nvd
CVE-2021-21605P3HIGHCVSS 8.0≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21605 [HIGH] CWE-22 CVE-2021-21605: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to c
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.
nvd
CVE-2012-0785P3HIGHCVSS 7.5vbefore 1.4472020-02-24
CVE-2012-0785 [HIGH] CWE-400 CVE-2012-0785: Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack."
nvd
CVE-2021-21604P3HIGHCVSS 8.0≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21604 [HIGH] CWE-502 CVE-2021-21604: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or con
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
nvd
CVE-2022-34175P3HIGHCVSS 7.5≥ 2.335, < unspecified≥ unspecified, ≤ 2.3552022-06-23
CVE-2022-34175 [HIGH] CVE-2022-34175: Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection m
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
nvd
CVE-2019-1003003P3HIGHCVSS 7.2v2.158 and earlier, LTS 2.150.1 and earlier2019-01-22
CVE-2019-1003003 [HIGH] CVE-2019-1003003: An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts
nvd
CVE-2019-10384P3HIGHCVSS 8.8v2.191 and earlier, LTS 2.176.2 and earlier2019-08-28
CVE-2019-10384 [HIGH] CWE-352 CVE-2019-10384: Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an as
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
nvd
CVE-2019-1003004P3HIGHCVSS 7.2v2.171 and earlier, LTS 2.164.1 and earlier2019-01-22
CVE-2019-1003004 [HIGH] CVE-2019-1003004: An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.
nvd
CVE-2021-21602P3MEDIUMCVSS 6.5≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21602 [MEDIUM] CWE-59 CVE-2021-21602: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file bro
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.
nvd
CVE-2021-21683P3MEDIUMCVSS 6.5≥ unspecified, ≤ 2.3142021-10-06
CVE-2021-21683 [MEDIUM] CWE-22 CVE-2021-21683: The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to f
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.
nvd
CVE-2021-21671P3HIGHCVSS 7.5≥ 2.266, < unspecified≥ LTS 2.277.1, < unspecified+1 more2021-06-30
CVE-2021-21671 [HIGH] CVE-2021-21671: Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
nvd
CVE-2019-10353P3HIGHCVSS 7.5v2.185 and earlier, LTS 2.176.1 and earlier2019-07-17
CVE-2019-10353 [HIGH] CWE-352 CVE-2019-10353: CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing a
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
nvd
CVE-2021-21607P4MEDIUMCVSS 6.5≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21607 [MEDIUM] CWE-770 CVE-2021-21607: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.
nvd
CVE-2021-21615P4MEDIUMCVSS 5.3v2.275vLTS 2.263.22021-01-26
CVE-2021-21615 [MEDIUM] CWE-367 CVE-2021-21615: Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces a
Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
nvd
CVE-2020-2105P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2182020-01-29
CVE-2020-2105 [MEDIUM] CWE-1021 CVE-2020-2105: REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjac
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
nvd
CVE-2020-2100P4MEDIUMCVSS 5.8≥ unspecified, ≤ 2.2182020-01-29
CVE-2020-2100 [MEDIUM] CVE-2020-2100: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
nvd
CVE-2020-2102P4MEDIUMCVSS 5.3≥ unspecified, ≤ 2.2182020-01-29
CVE-2020-2102 [MEDIUM] CWE-203 CVE-2020-2102: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
nvd
CVE-2020-2101P4MEDIUMCVSS 5.3≥ unspecified, ≤ 2.2182020-01-29
CVE-2020-2101 [MEDIUM] CWE-203 CVE-2020-2101: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function f
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
nvd