Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-43496

Summary
Assigner-jenkins
Assigner Org ID-39769cd5-e6e2-4dc8-927e-97b3aa056f5b
Published At-20 Sep, 2023 | 16:06
Updated At-02 May, 2025 | 15:32
Rejected At-
Credits

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jenkins
Assigner Org ID:39769cd5-e6e2-4dc8-927e-97b3aa056f5b
Published At:20 Sep, 2023 | 16:06
Updated At:02 May, 2025 | 15:32
Rejected At:
▼CVE Numbering Authority (CNA)

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

Affected Products
Vendor
JenkinsJenkins Project
Product
Jenkins
Default Status
affected
Versions
Unaffected
  • From 2.424 before * (maven)
  • From 2.414.2 before 2.414.* (maven)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
vendor-advisory
http://www.openwall.com/lists/oss-security/2023/09/20/5
N/A
Hyperlink: https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
Resource:
vendor-advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/09/20/5
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
vendor-advisory
x_transferred
http://www.openwall.com/lists/oss-security/2023/09/20/5
x_transferred
Hyperlink: https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
Resource:
vendor-advisory
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2023/09/20/5
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-276CWE-276 Incorrect Default Permissions
Type: CWE
CWE ID: CWE-276
Description: CWE-276 Incorrect Default Permissions
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:jenkinsci-cert@googlegroups.com
Published At:20 Sep, 2023 | 17:15
Updated At:02 May, 2025 | 16:15

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Jenkins
jenkins
>>jenkins>>Versions before 2.414.2(exclusive)
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Jenkins
jenkins
>>jenkins>>Versions before 2.424(exclusive)
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
Weaknesses
CWE IDTypeSource
CWE-276Primarynvd@nist.gov
CWE-276Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-276
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-276
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2023/09/20/5jenkinsci-cert@googlegroups.com
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072jenkinsci-cert@googlegroups.com
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/20/5af854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/09/20/5
Source: jenkinsci-cert@googlegroups.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
Source: jenkinsci-cert@googlegroups.com
Resource:
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/09/20/5
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

237Records found

CVE-2026-48920
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.30% / 21.63%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:13
Updated-28 May, 2026 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.

Action-Not Available
Vendor-Jenkins
Product-email_extensionJenkins Email Extension Plugin
CWE ID-CWE-73
External Control of File Name or Path
CVE-2022-25173
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.42% / 69.61%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:10
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Groovy Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-32986
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-63.14% / 99.10%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Action-Not Available
Vendor-Jenkins
Product-file_parametersJenkins File Parameter Plugin
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-32992
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.83% / 53.14%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

Action-Not Available
Vendor-Jenkins
Product-saml_single_sign_onJenkins SAML Single Sign On(SSO) Plugin
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2026-33001
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.16% / 63.29%
||
7 Day CHG+0.41%
Published-18 Mar, 2026 | 15:15
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Action-Not Available
Vendor-Red Hat, Inc.Jenkins
Product-jenkinsJenkinsOpenShift Developer Tools and Services 4.15OpenShift Developer Tools and Services 4.21OpenShift Developer Tools and Services 4.19Red Hat Developer HubOpenShift Developer Tools and Services 4.16OpenShift Developer Tools and Services 4.13OpenShift Developer Tools and Services 4.14OpenShift Developer Tools and Services 4.17OpenShift Developer Tools and Services 4.12OpenShift Developer Tools and Services 4.2OpenShift Developer Tools and Services 4.18
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2018-1000412
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.19% / 64.27%
||
7 Day CHG~0.00%
Published-09 Jan, 2019 | 23:00
Updated-05 Aug, 2024 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-n/aJenkins
Product-jiran/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-41939
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.55% / 42.03%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:08
Updated-26 Sep, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

Action-Not Available
Vendor-Jenkins
Product-ssh2_easyJenkins SSH2 Easy Plugin
CWE ID-CWE-281
Improper Preservation of Permissions
CVE-2023-41933
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.75% / 50.44%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:08
Updated-26 Sep, 2024 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-job_configuration_historyJenkins Job Configuration History Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-32981
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.02% / 59.07%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.

Action-Not Available
Vendor-Jenkins
Product-pipeline_utility_stepsJenkins Pipeline Utility Steps Plugin
CWE ID-CWE-787
Out-of-bounds Write
CVE-2023-41945
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.55% / 42.03%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:09
Updated-26 Sep, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Action-Not Available
Vendor-Jenkins
Product-assembla_authJenkins Assembla Auth Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-64140
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.29%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 13:29
Updated-22 Dec, 2025 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with Item/Configure permission to execute arbitrary shell commands.

Action-Not Available
Vendor-Jenkins
Product-azure_cliJenkins Azure CLI Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-41234
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.83% / 52.97%
||
7 Day CHG+0.02%
Published-21 Sep, 2022 | 15:45
Updated-28 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

Action-Not Available
Vendor-Jenkins
Product-rundeckJenkins Rundeck Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-43044
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-28.78% / 97.91%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 13:27
Updated-14 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-28160
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.13% / 62.43%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 17:02
Updated-07 May, 2025 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

Action-Not Available
Vendor-Jenkins
Product-icescrumJenkins iceScrum Pluginicescrum
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-10302
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.37% / 68.64%
||
7 Day CHG~0.00%
Published-18 Apr, 2019 | 16:54
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins jira-ext Plugin 0.8 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-jira-extJenkins jira-ext Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-1003001
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-86.22% / 99.71%
||
7 Day CHG~0.00%
Published-22 Jan, 2019 | 14:00
Updated-05 Aug, 2024 | 03:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Action-Not Available
Vendor-Red Hat, Inc.Jenkins
Product-pipeline\openshift_container_platformPipeline: Groovy Plugin
CVE-2019-1003062
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.36% / 68.47%
||
7 Day CHG~0.00%
Published-04 Apr, 2019 | 15:38
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-aws_cloudwatch_logs_publisherJenkins AWS CloudWatch Logs Publisher Plugin
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2019-1003066
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.36% / 68.47%
||
7 Day CHG~0.00%
Published-04 Apr, 2019 | 15:38
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Bugzilla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-bugzillaJenkins Bugzilla Plugin
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2025-31722
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.13% / 62.37%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 14:59
Updated-26 Feb, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Action-Not Available
Vendor-Jenkins
Product-templating_engineJenkins Templating Engine Plugin
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-21657
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.60% / 72.77%
||
7 Day CHG~0.00%
Published-25 May, 2021 | 14:10
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-filesystem_triggerJenkins Filesystem Trigger Plugin
CVE-2021-21677
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.21% / 80.45%
||
7 Day CHG~0.00%
Published-31 Aug, 2021 | 13:50
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-code_coverage_apiJenkins Code Coverage API Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21646
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.75% / 75.10%
||
7 Day CHG~0.00%
Published-21 Apr, 2021 | 14:20
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Action-Not Available
Vendor-Jenkins
Product-templating_engineJenkins Templating Engine Plugin
CVE-2020-2189
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.28% / 81.03%
||
7 Day CHG~0.00%
Published-06 May, 2020 | 12:45
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-source_code_management_filter_jervisJenkins SCM Filter Jervis Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-2228
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.43% / 69.83%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 17:00
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.

Action-Not Available
Vendor-Jenkins
Product-gitlab_authenticationJenkins Gitlab Authentication Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2200
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.42% / 82.18%
||
7 Day CHG~0.00%
Published-03 Jun, 2020 | 12:40
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.

Action-Not Available
Vendor-Jenkins
Product-play_frameworkJenkins Play Framework Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-2261
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.36% / 68.28%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller

Action-Not Available
Vendor-Jenkins
Product-perfectoJenkins Perfecto Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-2211
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.28% / 81.03%
||
7 Day CHG~0.00%
Published-02 Jul, 2020 | 14:55
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-kubernetes_ciJenkins ElasticBox Jenkins Kubernetes CI/CD Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-2135
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.01% / 58.74%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:00
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

Action-Not Available
Vendor-Jenkins
Product-script_securityJenkins Script Security Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2159
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.00% / 78.38%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:01
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

Action-Not Available
Vendor-Jenkins
Product-cryptomoveJenkins CryptoMove Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-2158
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.87% / 85.08%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:01
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-literateJenkins Literate Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-2171
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.15% / 63.01%
||
7 Day CHG~0.00%
Published-25 Mar, 2020 | 16:05
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-rapiddeployJenkins RapidDeploy Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-2166
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.03% / 78.73%
||
7 Day CHG~0.00%
Published-25 Mar, 2020 | 16:05
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: AWS Steps Plugin
CWE ID-CWE-20
Improper Input Validation
CVE-2020-2115
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.15% / 63.01%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-nunitJenkins NUnit Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-2180
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.28% / 81.03%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 13:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-amazon_web_services_serverless_application_modelJenkins AWS SAM Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-2110
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.27% / 66.20%
||
7 Day CHG+0.01%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Action-Not Available
Vendor-Jenkins
Product-script_securityJenkins Script Security Plugin
CWE ID-CWE-20
Improper Input Validation
CVE-2020-2168
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.96% / 77.86%
||
7 Day CHG~0.00%
Published-25 Mar, 2020 | 16:05
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-azure_container_serviceJenkins Azure Container Service Plugin
CWE ID-CWE-20
Improper Input Validation
CVE-2020-2123
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.28% / 81.03%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-radargunJenkins RadarGun Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-2097
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.21% / 64.68%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 15:15
Updated-04 Aug, 2024 | 06:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Action-Not Available
Vendor-Jenkins
Product-soundsJenkins Sounds Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2092
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.38% / 68.83%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 15:15
Updated-04 Aug, 2024 | 06:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents.

Action-Not Available
Vendor-Jenkins
Product-robot_frameworkJenkins Robot Framework Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-2167
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.08% / 79.18%
||
7 Day CHG~0.00%
Published-25 Mar, 2020 | 16:05
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-openshift_pipelineJenkins OpenShift Pipeline Plugin
CWE ID-CWE-20
Improper Input Validation
CVE-2020-2179
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.87% / 85.08%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 13:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Action-Not Available
Vendor-Jenkins
Product-yaml_axisJenkins Yaml Axis Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-16552
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 45.43%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on the Jenkins master.

Action-Not Available
Vendor-Jenkins
Product-gerrit_triggerJenkins Gerrit Trigger Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-16559
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.68% / 47.74%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

Action-Not Available
Vendor-Jenkins
Product-websphere_deployerJenkins WebSphere Deployer Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-16554
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.82% / 52.66%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.

Action-Not Available
Vendor-Jenkins
Product-build_failure_analyzerJenkins Build Failure Analyzer Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-52551
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8||HIGH
EPSS-0.57% / 42.85%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 20:53
Updated-08 Oct, 2025 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Declarative Pluginjenkins_pipeline_declaratrive_plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-10473
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.68% / 47.81%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-libvirt_slavesJenkins Libvirt Slaves Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-10465
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.79% / 51.72%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.

Action-Not Available
Vendor-Jenkins
Product-deploy_weblogicJenkins Deploy WebLogic Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-10463
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.84% / 53.27%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-dynatrace_application_monitoringJenkins Dynatrace Application Monitoring Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-10474
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.68% / 47.77%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.

Action-Not Available
Vendor-Jenkins
Product-global_post_scriptJenkins Global Post Script Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-10472
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.84% / 53.28%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-libvirt_slavesJenkins Libvirt Slaves Plugin
CWE ID-CWE-276
Incorrect Default Permissions
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found