Vulnerabilities in Jenkins project

1,522 results
Vexday analysis

Com 1.064 CVEs catalogadas, o Jenkins Project acumula um volume expressivo de vulnerabilidades históricas, embora a taxa de exploração ativa — 0,19% das CVEs presentes no catálogo CISA KEV — esteja abaixo da média geral do catálogo (0,45%), o que sugere que a maioria das falhas não chegou a ser amplamente weaponizada. O ponto de maior atenção é o EPSS máximo observado de 0,9843, indicando que ao menos uma vulnerabilidade no portfólio apresenta probabilidade de exploração extremamente elevada segundo modelos preditivos. A CVE mais perigosa em exploração ativa, CVE-2019-1003030, carrega um EPSS de 0,7596, reforçando a necessidade de priorizar ambientes que ainda não aplicaram as correções correspondentes. O tipo de falha mais comum, CWE-862 (ausência de verificação de autorização), combinado com 11 CVEs com PoC pública, aponta para uma superfície de ataque relevante que exige controle rigoroso de permissões e aplicação consistente de patches.

CVE-2019-10460Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins masEPSS 0.3%CVE-2026-27100MEDIUMJenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not EPSS 0.3%CVE-2019-10461Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier stored credentials unencrypted in its global configuration file on the JenEPSS 0.3%CVE-2019-10476Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they coulEPSS 0.3%CVE-2022-46685MEDIUMIn Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentialEPSS 0.3%CVE-2021-21614Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller EPSS 0.3%CVE-2020-2297Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controlleEPSS 0.3%CVE-2023-40337A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view EPSS 0.3%CVE-2020-2145Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file systeEPSS 0.3%CVE-2019-16572Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can EPSS 0.3%CVE-2019-10345Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted foEPSS 0.3%CVE-2019-10429Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed byEPSS 0.3%CVE-2020-2314Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where iEPSS 0.3%CVE-2023-30523MEDIUMJenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controllerEPSS 0.3%CVE-2019-16543Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where EPSS 0.3%CVE-2024-23902MEDIUMA cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers toEPSS 0.3%CVE-2023-30530MEDIUMJenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on thEPSS 0.3%CVE-2023-30527MEDIUMJenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins contrEPSS 0.3%CVE-2023-30517MEDIUMJenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when coEPSS 0.3%CVE-2019-10423Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by usEPSS 0.3%