Jenkins Project Jenkins vulnerabilities
73 known vulnerabilities affecting jenkins_project/jenkins.
Total CVEs
73
CISA KEV
0
Public exploits
5
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH16MEDIUM46
Vulnerabilities
Page 3 of 4
CVE-2020-2161P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2272020-03-25
CVE-2020-2161 [MEDIUM] CWE-79 CVE-2020-2161: Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are sho
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
nvd
CVE-2021-21609P4MEDIUMCVSS 5.3≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21609 [MEDIUM] CWE-863 CVE-2021-21609: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the li
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
nvd
CVE-2021-21639P4MEDIUMCVSS 4.3≥ unspecified, ≤ 2.2862021-04-07
CVE-2021-21639 [MEDIUM] CVE-2021-21639: Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created afte
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
nvd
CVE-2022-34173P4MEDIUMCVSS 5.4≥ 2.340, < unspecified≥ unspecified, ≤ 2.3552022-06-23
CVE-2022-34173 [MEDIUM] CWE-79 CVE-2022-34173: In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views suppor
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
nvd
CVE-2022-34170P4MEDIUMCVSS 5.4≥ 2.320, < unspecified≥ unspecified, ≤ 2.355+1 more2022-06-23
CVE-2022-34170 [MEDIUM] CWE-79 CVE-2022-34170: In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive)
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
nvd
CVE-2022-34171P4MEDIUMCVSS 5.4≥ 2.321, < unspecified≥ unspecified, ≤ 2.355+1 more2022-06-23
CVE-2022-34171 [MEDIUM] CWE-79 CVE-2022-34171: In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive)
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vuln
nvd
CVE-2019-1003050P4MEDIUMCVSS 5.4v2.171 and earlier, LTS 2.164.1 and earlier2019-04-10
CVE-2019-1003050 [MEDIUM] CWE-79 CVE-2019-1003050: The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.1
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
nvd
CVE-2020-2162P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2272020-03-25
CVE-2020-2162 [MEDIUM] CWE-79 CVE-2020-2162: Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
nvd
CVE-2020-2163P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2272020-03-25
CVE-2020-2163 [MEDIUM] CWE-79 CVE-2020-2163: Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view co
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.
nvd
CVE-2019-10403P4MEDIUMCVSS 5.4v2.196 and earlier, LTS 2.176.3 and earlier2019-09-25
CVE-2019-10403 [MEDIUM] CWE-79 CVE-2019-10403: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip fo
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.
nvd
CVE-2019-10401P4MEDIUMCVSS 5.4v2.196 and earlier, LTS 2.176.3 and earlier2019-09-25
CVE-2019-10401 [MEDIUM] CWE-79 CVE-2019-10401: In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpre
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
nvd
CVE-2019-10404P4MEDIUMCVSS 5.4v2.196 and earlier, LTS 2.176.3 and earlier2019-09-25
CVE-2019-10404 [MEDIUM] CWE-79 CVE-2019-10404: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is bl
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
nvd
CVE-2019-10402P4MEDIUMCVSS 5.4v2.196 and earlier, LTS 2.176.3 and earlier2019-09-25
CVE-2019-10402 [MEDIUM] CWE-79 CVE-2019-10402: In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its i
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.
nvd
CVE-2021-21610P4MEDIUMCVSS 6.1≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21610 [MEDIUM] CWE-79 CVE-2021-21610: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL r
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.
nvd
CVE-2022-34172P4MEDIUMCVSS 5.4≥ 2.340, < unspecified≥ unspecified, ≤ 2.3552022-06-23
CVE-2022-34172 [MEDIUM] CWE-79 CVE-2022-34172: In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped value
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
nvd
CVE-2021-21611P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2742021-01-13
CVE-2021-21611 [MEDIUM] CWE-79 CVE-2021-21611: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item typ
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.
nvd
CVE-2022-41224P4MEDIUMCVSS 5.4≥ 2.367, < unspecified≥ unspecified, ≤ 2.3692022-09-21
CVE-2022-41224 [MEDIUM] CWE-79 CVE-2022-41224: Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component
Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.
nvd
CVE-2020-2222P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2442020-07-15
CVE-2020-2222 [MEDIUM] CWE-79 CVE-2020-2222: Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this bu
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
nvd
CVE-2020-2221P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2442020-07-15
CVE-2020-2221 [MEDIUM] CWE-79 CVE-2020-2221: Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name s
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
nvd
CVE-2020-2223P4MEDIUMCVSS 5.4≥ unspecified, ≤ 2.2442020-07-15
CVE-2020-2223 [MEDIUM] CWE-79 CVE-2020-2223: Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.
nvd