Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-2632

Summary
Assigner-SNPS
Assigner Org ID-8cad7728-009c-4a3d-a95e-ca62e6ff8a0b
Published At-16 May, 2023 | 17:54
Updated At-22 Jan, 2025 | 20:34
Rejected At-
Credits

API keys stored and displayed in plain text by Code Dx Plugin

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SNPS
Assigner Org ID:8cad7728-009c-4a3d-a95e-ca62e6ff8a0b
Published At:16 May, 2023 | 17:54
Updated At:22 Jan, 2025 | 20:34
Rejected At:
▼CVE Numbering Authority (CNA)
API keys stored and displayed in plain text by Code Dx Plugin

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Affected Products
Vendor
JenkinsJenkins
Product
Jenkins Code Dx Plugin
Default Status
unaffected
Versions
Affected
  • From 0 through 3.1.0 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-256CWE-256: Plaintext Storage of a Password
Type: CWE
CWE ID: CWE-256
Description: CWE-256: Plaintext Storage of a Password
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-22CAPEC-22 Exploiting Trust in Client
CAPEC ID: CAPEC-22
Description: CAPEC-22 Exploiting Trust in Client
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146
N/A
Hyperlink: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146
x_transferred
Hyperlink: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@synopsys.com
Published At:16 May, 2023 | 18:15
Updated At:25 May, 2023 | 16:08

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Jenkins
jenkins
>>code_dx>>Versions up to 3.1.0(inclusive)
cpe:2.3:a:jenkins:code_dx:*:*:*:*:*:jenkins:*:*
Weaknesses
CWE IDTypeSource
CWE-522Primarynvd@nist.gov
CWE-256Secondarydisclosure@synopsys.com
CWE ID: CWE-522
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-256
Type: Secondary
Source: disclosure@synopsys.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146disclosure@synopsys.com
Vendor Advisory
Hyperlink: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146
Source: disclosure@synopsys.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

308Records found
CVE-2022-36904
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 27.00%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:25
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-repository_connectorJenkins Repository Connector Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36891
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.31%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:22
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier allows attackers with Item/Read permission but without Deploy Now/Deploy permission to read deployment logs.

Action-Not Available
Vendor-Jenkins
Product-deployer_frameworkJenkins Deployer Framework Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36895
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.31%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:23
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-compuware_topaz_utilitiesJenkins Compuware Topaz Utilities Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36915
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.38%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:27
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Android Signing Plugin 2.2.5 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.

Action-Not Available
Vendor-Jenkins
Product-android_signingJenkins Android Signing Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36893
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 27.00%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:23
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins rpmsign-plugin Plugin 0.5.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.

Action-Not Available
Vendor-Jenkins
Product-rpmsign-pluginJenkins rpmsign-plugin Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-34796
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.97% / 75.68%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:47
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-deployment_dashboardJenkins Deployment Dashboard Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-34785
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.84% / 73.70%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:46
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them.

Action-Not Available
Vendor-Jenkins
Product-build-metricsJenkins build-metrics Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-34811
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.62% / 68.98%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:49
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to access the XPath Configuration Viewer page.

Action-Not Available
Vendor-Jenkins
Product-xpath_configuration_viewerJenkins XPath Configuration Viewer Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-34814
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.62% / 68.98%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:49
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests.

Action-Not Available
Vendor-Jenkins
Product-request_rename_or_deleteJenkins Request Rename Or Delete Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-34801
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 62.47%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:48
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Action-Not Available
Vendor-Jenkins
Product-build_notificationsJenkins Build Notifications Plugin
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2022-43413
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.26%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-job_importJenkins Job Import Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-20620
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.97% / 75.68%
||
7 Day CHG~0.00%
Published-12 Jan, 2022 | 19:05
Updated-03 Aug, 2024 | 02:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-ssh_agentJenkins SSH Agent Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-21653
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.84%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 14:15
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-xray_-_test_management_for_jiraJenkins Xray - Test Management for Jira Plugin
CVE-2022-30957
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 62.91%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:06
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-sshJenkins SSH Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36913
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.38%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:27
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Openstack Heat Plugin 1.5 and earlier does not perform permission checks in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-openstack_heatJenkins Openstack Heat Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-34779
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.62% / 68.98%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:46
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-xebialabs_xl_releaseJenkins XebiaLabs XL Release Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-34804
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 58.86%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:48
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure.

Action-Not Available
Vendor-Jenkins
Product-opsgenieJenkins OpsGenie Plugin
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-10445
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.

Action-Not Available
Vendor-Jenkins
Product-google_kubernetes_engineJenkins Google Kubernetes Engine Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2019-10447
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.74%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-sofy.aiJenkins Sofy.AI Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2025-31720
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.42%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 14:59
Updated-29 Apr, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-862
Missing Authorization
CVE-2022-28147
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.90% / 74.71%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:31
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-continuous_integration_with_toad_edgeJenkins Continuous Integration with Toad Edge Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-31721
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.42%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 14:59
Updated-29 Apr, 2025 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-862
Missing Authorization
CVE-2025-27622
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.60%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 22:33
Updated-24 Jun, 2025 | 00:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2025-27623
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.54%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 22:33
Updated-24 Jun, 2025 | 00:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2022-23113
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.77% / 72.55%
||
7 Day CHG~0.00%
Published-12 Jan, 2022 | 19:06
Updated-15 Oct, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

Action-Not Available
Vendor-Jenkins
Product-publish_over_sshJenkins Publish Over SSH Plugin
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-25180
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.60% / 68.64%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Groovy Plugin
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2022-25190
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 56.03%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-15 Oct, 2024 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-conjur_secretsJenkins Conjur Secrets Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36890
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.66% / 70.22%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:22
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-deployer_frameworkJenkins Deployer Framework Plugin
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-21651
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.36%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 14:15
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.

Action-Not Available
Vendor-Jenkins
Product-s3_publisherJenkins S3 publisher Plugin
CVE-2021-21662
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.55%
||
7 Day CHG~0.00%
Published-10 Jun, 2021 | 14:25
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-xebialabs_xl_deployJenkins XebiaLabs XL Deploy Plugin
CVE-2018-1000192
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.50%
||
7 Day CHG~0.00%
Published-05 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Action-Not Available
Vendor-n/aJenkinsOracle Corporation
Product-communications_cloud_native_core_automated_test_suitejenkinsn/a
CVE-2020-2285
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-23 Sep, 2020 | 13:10
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-liquibase_runnerJenkins Liquibase Runner Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-2306
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.91%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

Action-Not Available
Vendor-Jenkins
Product-mercurialJenkins Mercurial Plugin
CVE-2020-2251
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.72%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 13:50
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.

Action-Not Available
Vendor-Jenkins
Product-jenkinssoapui_pro_functional_testingJenkins SoapUI Pro Functional Testing Plugin
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-2188
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-06 May, 2020 | 12:45
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-amazon_ec2Jenkins Amazon EC2 Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2310
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.36%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-ansibleJenkins Ansible Plugin
CVE-2020-2202
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-02 Jul, 2020 | 14:55
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-fortify_on_demandJenkins Fortify on Demand Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-2239
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.07%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 13:50
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-parameterized_remote_triggerJenkins Parameterized Remote Trigger Plugin
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-2197
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-03 Jun, 2020 | 12:40
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.

Action-Not Available
Vendor-Jenkins
Product-project_inheritanceJenkins Project Inheritance Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-2302
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.

Action-Not Available
Vendor-Jenkins
Product-active_directoryJenkins Active Directory Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-2313
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.36%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-azure_key_vaultJenkins Azure Key Vault Plugin
CVE-2020-2267
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Action-Not Available
Vendor-Jenkins
Product-mongodbJenkins MongoDB Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-2307
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.74%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

Action-Not Available
Vendor-Jenkins
Product-kubernetesJenkins Kubernetes Plugin
CVE-2020-2308
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.20%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.

Action-Not Available
Vendor-Jenkins
Product-kubernetesJenkins Kubernetes Plugin
CVE-2020-2118
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.16%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-pipeline_github_notify_stepJenkins Pipeline GitHub Notify Step Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-2117
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.16%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-pipeline_github_notify_stepJenkins Pipeline GitHub Notify Step Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-2153
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.74%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:01
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Backlog Plugin 2.4 and earlier transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

Action-Not Available
Vendor-Jenkins
Product-backlogJenkins Backlog Plugin
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-2177
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.74%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 13:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-coprJenkins Copr Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2020-2258
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

Action-Not Available
Vendor-Jenkins
Product-health_advisor_by_cloudbeesJenkins Health Advisor by CloudBees Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-20616
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.21%
||
7 Day CHG~0.00%
Published-12 Jan, 2022 | 19:05
Updated-03 Aug, 2024 | 02:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

Action-Not Available
Vendor-Jenkins
Product-credentials_bindingJenkins Credentials Binding Plugin
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found