Vulnerabilities in Jenkins Project

1,522 results
Vexday analysis

O Jenkins Project acumula 458 CVEs catalogadas, com 56 novas ocorrências nos últimos 90 dias, sinalizando um ritmo contínuo de descobertas que exige monitoramento constante. A taxa de exploração ativa está abaixo da média geral do catálogo, com apenas 1 CVE confirmada no CISA KEV, porém essa única entrada — CVE-2024-23897 — apresenta EPSS máximo de 1.0, indicando probabilidade extremamente alta de exploração ativa e tornando sua remediação imediata uma prioridade absoluta. O tipo de falha mais frequente é CWE-352 (Cross-Site Request Forgery), o que sugere fragilidades persistentes nos mecanismos de controle de requisições da plataforma, especialmente relevantes em ambientes expostos à internet. Com 20 CVEs de severidade crítica e 3 com PoC pública disponível, a superfície de ataque real merece atenção proporcional, independentemente da taxa de exploração relativamente contida.

CVE-2022-34808Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller wheEPSS 0.6%CVE-2023-40347Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowEPSS 0.6%CVE-2022-34799Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controlEPSS 0.6%CVE-2022-34811A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to aEPSS 0.6%CVE-2022-34814Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackEPSS 0.6%CVE-2023-46656Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the proEPSS 0.6%CVE-2022-34800Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller wEPSS 0.6%CVE-2022-34803Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the JenkEPSS 0.6%CVE-2023-24446HIGHA cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in tEPSS 0.6%CVE-2023-24458HIGHA cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-sEPSS 0.6%CVE-2024-28152MEDIUMIn Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests fEPSS 0.6%CVE-2025-64140HIGHJenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with IteEPSS 0.6%CVE-2023-24434HIGHA cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to conneEPSS 0.6%CVE-2023-37953A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attackerEPSS 0.6%CVE-2023-37951Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure pEPSS 0.6%CVE-2023-41932Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpointEPSS 0.6%CVE-2022-27204A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to coEPSS 0.6%CVE-2022-43417MEDIUMJenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/ReadEPSS 0.6%CVE-2022-34813A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to cEPSS 0.6%CVE-2022-34818Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attEPSS 0.6%