Exposure of Jenkins
CI28
exposure score
15
sites use
1
exploited
2
critical
CVEs
141 resultsCVE-2024-23897CRITICALJenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character folloEPSS 100.0%KEVCVE-2020-2230—Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-siteEPSS 83.1%CVE-2024-23898HIGHJenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests maEPSS 66.9%CVE-2019-10405—Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attacEPSS 65.8%CVE-2024-43044HIGHJenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system byEPSS 28.8%CVE-2026-53435HIGHIn Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in JEPSS 14.3%CVE-2019-10352—A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.jEPSS 10.2%CVE-2020-2103—Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.EPSS 7.0%CVE-2020-2229—Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripEPSS 6.8%CVE-2017-2608HIGHJenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types iEPSS 6.3%CVE-2020-2231—Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotEPSS 5.3%CVE-2025-59474MEDIUMJenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible tEPSS 4.7%CVE-2024-43045MEDIUMJenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/EPSS 4.3%CVE-2022-0538—Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections forEPSS 3.8%CVE-2020-2100—Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.EPSS 3.4%CVE-2023-43494—Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., pEPSS 3.4%CVE-2012-0785—Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before EPSS 3.4%CVE-2021-21639—Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `conEPSS 2.7%CVE-2021-21690—Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and EPSS 2.5%CVE-2012-4438—Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data aEPSS 2.4%
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →