Vulnerabilities in Jenkins project

1,522 results
Vexday analysis

Com 1.064 CVEs catalogadas, o Jenkins Project acumula um volume expressivo de vulnerabilidades históricas, embora a taxa de exploração ativa — 0,19% das CVEs presentes no catálogo CISA KEV — esteja abaixo da média geral do catálogo (0,45%), o que sugere que a maioria das falhas não chegou a ser amplamente weaponizada. O ponto de maior atenção é o EPSS máximo observado de 0,9843, indicando que ao menos uma vulnerabilidade no portfólio apresenta probabilidade de exploração extremamente elevada segundo modelos preditivos. A CVE mais perigosa em exploração ativa, CVE-2019-1003030, carrega um EPSS de 0,7596, reforçando a necessidade de priorizar ambientes que ainda não aplicaram as correções correspondentes. O tipo de falha mais comum, CWE-862 (ausência de verificação de autorização), combinado com 11 CVEs com PoC pública, aponta para uma superfície de ataque relevante que exige controle rigoroso de permissões e aplicação consistente de patches.

CVE-2022-34183Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displayinEPSS 0.6%CVE-2022-34191Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier does not escape the name of NetStorm Test parameters on views diEPSS 0.6%CVE-2023-33001HIGHJenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the buildEPSS 0.6%CVE-2023-24450MEDIUMJenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be EPSS 0.6%CVE-2022-43429HIGHJenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be eEPSS 0.6%CVE-2023-50771Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing EPSS 0.6%CVE-2026-57296HIGHJenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided tEPSS 0.6%CVE-2026-57281HIGHJenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions mEPSS 0.6%CVE-2019-16558Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM.EPSS 0.6%CVE-2019-10397Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuratioEPSS 0.6%CVE-2022-38664Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History pagEPSS 0.6%CVE-2022-45382MEDIUMJenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, rEPSS 0.6%CVE-2022-25189Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter names of custom checkbox parameters, resulting in a storeEPSS 0.6%CVE-2022-45401MEDIUMJenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSSEPSS 0.6%CVE-2022-25191Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored crosEPSS 0.6%CVE-2022-41239MEDIUMJenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying theEPSS 0.6%CVE-2023-32977MEDIUMJenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a storedEPSS 0.6%CVE-2023-24422HIGHA sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackerEPSS 0.6%CVE-2023-24451A missing permission check in Jenkins Cisco Spark Notifier Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to enumeraEPSS 0.6%CVE-2022-28138A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to anEPSS 0.6%