Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-46653

Summary
Assigner-jenkins
Assigner Org ID-39769cd5-e6e2-4dc8-927e-97b3aa056f5b
Published At-25 Oct, 2023 | 13:45
Updated At-13 Feb, 2025 | 17:14
Rejected At-
Credits

Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jenkins
Assigner Org ID:39769cd5-e6e2-4dc8-927e-97b3aa056f5b
Published At:25 Oct, 2023 | 13:45
Updated At:13 Feb, 2025 | 17:14
Rejected At:
â–¼CVE Numbering Authority (CNA)

Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.

Affected Products
Vendor
JenkinsJenkins Project
Product
Jenkins lambdatest-automation Plugin
Default Status
unaffected
Versions
Affected
  • From 0 through 1.20.10 (maven)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202
vendor-advisory
http://www.openwall.com/lists/oss-security/2023/10/25/2
N/A
Hyperlink: https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202
Resource:
vendor-advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/10/25/2
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202
vendor-advisory
x_transferred
http://www.openwall.com/lists/oss-security/2023/10/25/2
x_transferred
Hyperlink: https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202
Resource:
vendor-advisory
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2023/10/25/2
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:jenkinsci-cert@googlegroups.com
Published At:25 Oct, 2023 | 18:17
Updated At:01 Nov, 2023 | 18:25

Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Jenkins
jenkins
>>lambdatest-automation>>Versions before 1.21.0(exclusive)
cpe:2.3:a:jenkins:lambdatest-automation:*:*:*:*:*:jenkins:*:*
Weaknesses
CWE IDTypeSource
CWE-312Primarynvd@nist.gov
CWE ID: CWE-312
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2023/10/25/2jenkinsci-cert@googlegroups.com
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202jenkinsci-cert@googlegroups.com
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/10/25/2
Source: jenkinsci-cert@googlegroups.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202
Source: jenkinsci-cert@googlegroups.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

272Records found
CVE-2020-2319
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.52%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-vmware_lab_manager_slavesJenkins VMware Lab Manager Slaves Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-2293
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.22%
||
7 Day CHG~0.00%
Published-08 Oct, 2020 | 12:40
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

Action-Not Available
Vendor-Jenkins
Product-personaJenkins Persona Plugin
CVE-2020-2318
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.52%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-mail_commanderJenkins Mail Commander Plugin for Jenkins-ci Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-2233
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.74%
||
7 Day CHG~0.00%
Published-12 Aug, 2020 | 13:25
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-pipeline_maven_integrationJenkins Pipeline Maven Integration Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2250
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.13%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 13:50
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-soapui_pro_functional_testingJenkins SoapUI Pro Functional Testing Plugin
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-2315
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 50.48%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 14:35
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-visualworks_storeJenkins Visualworks Store Plugin
CVE-2020-2298
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.69% / 71.36%
||
7 Day CHG~0.00%
Published-08 Oct, 2020 | 12:40
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-nerrvanaJenkins Nerrvana Plugin
CVE-2020-2130
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.52%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-harvest_scmJenkins Harvest SCM Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-2172
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 36.21%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 12:25
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-code_coverage_apiJenkins Code Coverage API Plugin
CWE ID-CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVE-2020-2183
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.52%
||
7 Day CHG~0.00%
Published-06 May, 2020 | 12:45
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.

Action-Not Available
Vendor-Jenkins
Product-copy_artifactJenkins Copy Artifact Plugin
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-2129
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.52%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-eagle_testerJenkins Eagle Tester Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-2132
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.52%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 14:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-parasoft_environment_managerJenkins Parasoft Environment Manager Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-24438
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 68.57%
||
7 Day CHG-0.09%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-jira_pipeline_stepsJenkins JIRA Pipeline Steps Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2016-4987
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 61.88%
||
7 Day CHG~0.00%
Published-09 Feb, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields.

Action-Not Available
Vendor-n/aJenkins
Product-image_galleryn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-28672
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 59.56%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:26
Updated-25 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-octoperf_load_testingJenkins OctoPerf Load Testing Plugin Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-50773
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.19%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 17:30
Updated-13 Feb, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Action-Not Available
Vendor-Jenkins
Product-dingding_json_pusherJenkins Dingding JSON Pusher Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-50772
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.19%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 17:30
Updated-13 Feb, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-dingding_json_pusherJenkins Dingding JSON Pusher Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-50776
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.49%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 17:30
Updated-13 Feb, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-paaslane_estimateJenkins PaaSLane Estimate Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-50777
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.07%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 17:30
Updated-22 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Action-Not Available
Vendor-Jenkins
Product-paaslane_estimateJenkins PaaSLane Estimate Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-67637
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.80%
||
7 Day CHG~0.00%
Published-10 Dec, 2025 | 16:50
Updated-17 Dec, 2025 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2020-2274
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 1.06%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-elastestJenkins ElasTest Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2020-2177
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.25%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 13:35
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-coprJenkins Copr Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2020-2154
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 2.24%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:01
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.

Action-Not Available
Vendor-Jenkins
Product-zephyr_for_jira_test_managementJenkins Zephyr for JIRA Test Management Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2025-67638
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.63%
||
7 Day CHG~0.00%
Published-10 Dec, 2025 | 16:50
Updated-17 Dec, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-32982
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.96%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-ansibleJenkins Ansible Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2023-32983
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 27.96%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.

Action-Not Available
Vendor-Jenkins
Product-ansibleJenkins Ansible Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-30527
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.42%
||
7 Day CHG+0.02%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-wso2_oauthJenkins WSO2 Oauth Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-30530
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.42%
||
7 Day CHG+0.02%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-consul_kv_builderJenkins Consul KV Builder Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-30523
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.42%
||
7 Day CHG+0.02%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-report_portalJenkins Report Portal Plugin
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-24454
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 29.02%
||
7 Day CHG-0.02%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-testquality_updaterJenkins TestQuality Updater Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-24442
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.5||MEDIUM
EPSS-0.12% / 30.73%
||
7 Day CHG-0.02%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-github_pull_request_coverage_statusJenkins GitHub Pull Request Coverage Status Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-24439
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 29.02%
||
7 Day CHG-0.02%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-jira_pipeline_stepsJenkins JIRA Pipeline Steps Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2022-41248
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.71%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:46
Updated-27 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Action-Not Available
Vendor-Jenkins
Product-bigpanda_notifierJenkins BigPanda Notifier Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10447
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.25%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-sofy.aiJenkins Sofy.AI Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10430
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 1.20%
||
7 Day CHG~0.00%
Published-25 Sep, 2019 | 15:05
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-neuvector_vulnerability_scannerJenkins NeuVector Vulnerability Scanner Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10433
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-3.3||LOW
EPSS-0.01% / 1.34%
||
7 Day CHG~0.00%
Published-01 Oct, 2019 | 13:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Dingding[钉钉] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-dingdingJenkins Dingding[钉钉] Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10443
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.79%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-icescrumJenkins iceScrum Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10450
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-3.3||LOW
EPSS-0.01% / 0.47%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-elasticbox_ciJenkins ElasticBox CI Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10350
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.07%
||
7 Day CHG~0.00%
Published-11 Jul, 2019 | 13:55
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-port_allocatorJenkins Port Allocator Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10440
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.08% / 23.90%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-neoloadJenkins NeoLoad Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10348
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.07%
||
7 Day CHG~0.00%
Published-11 Jul, 2019 | 13:55
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-gogsJenkins Gogs Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10453
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.27%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-delphixJenkins Delphix Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10351
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.07%
||
7 Day CHG~0.00%
Published-11 Jul, 2019 | 13:55
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-caliper_ciJenkins Caliper CI Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10449
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.55%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-fortify_on_demandJenkins Fortify on Demand Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10452
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 5.81%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-view26_test-reportingJenkins View26 Test-Reporting Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-10451
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 5.81%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Action-Not Available
Vendor-Jenkins
Product-soasta_cloudtestJenkins SOASTA CloudTest Plugin
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2025-27623
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.36%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 22:33
Updated-24 Jun, 2025 | 00:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2025-27622
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.78%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 22:33
Updated-24 Jun, 2025 | 00:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2026-23655
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-10 Feb, 2026 | 17:51
Updated-27 Feb, 2026 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft ACI Confidential Containers Information Disclosure Vulnerability

Cleartext storage of sensitive information in Azure Compute Gallery allows an authorized attacker to disclose information over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-confidential_sidecar_containersMicrosoft ACI Confidential Containers
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2021-45491
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 34.99%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 01:14
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

3CX System through 2022-03-17 stores cleartext passwords in a database.

Action-Not Available
Vendor-3cxn/a
Product-3cxn/a
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found