Vulnerabilidades en Jenkins Project

1522 resultados
Análisis Vexday

O Jenkins Project acumula 458 CVEs catalogadas, com 56 novas ocorrências nos últimos 90 dias, sinalizando um ritmo contínuo de descobertas que exige monitoramento constante. A taxa de exploração ativa está abaixo da média geral do catálogo, com apenas 1 CVE confirmada no CISA KEV, porém essa única entrada — CVE-2024-23897 — apresenta EPSS máximo de 1.0, indicando probabilidade extremamente alta de exploração ativa e tornando sua remediação imediata uma prioridade absoluta. O tipo de falha mais frequente é CWE-352 (Cross-Site Request Forgery), o que sugere fragilidades persistentes nos mecanismos de controle de requisições da plataforma, especialmente relevantes em ambientes expostos à internet. Com 20 CVEs de severidade crítica e 3 com PoC pública disponível, a superfície de ataque real merece atenção proporcional, independentemente da taxa de exploração relativamente contida.

CVE-2025-53672MEDIUMJenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controllEPSS 0.3%CVE-2020-2274Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller EPSS 0.3%CVE-2025-58459MEDIUMJenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attaEPSS 0.3%CVE-2020-2249Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the JenkinEPSS 0.3%CVE-2025-67641HIGHJenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage resEPSS 0.3%CVE-2023-39156A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created BaEPSS 0.3%CVE-2025-53677MEDIUMJenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential forEPSS 0.3%CVE-2025-53674MEDIUMJenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, inEPSS 0.3%CVE-2019-10430Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the JenkinEPSS 0.3%CVE-2025-53743MEDIUMJenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the EPSS 0.3%CVE-2025-31723MEDIUMA cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the EPSS 0.2%CVE-2026-42521MEDIUMJenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specifiEPSS 0.2%CVE-2025-64148MEDIUMA missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerateEPSS 0.2%CVE-2023-27903MEDIUMJenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions EPSS 0.2%CVE-2023-32994LOWJenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOraEPSS 0.2%CVE-2025-53658MEDIUMJenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scrEPSS 0.2%CVE-2019-10450Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they canEPSS 0.2%CVE-2026-53440MEDIUMJenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" securityEPSS 0.2%CVE-2025-64132MEDIUMJenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trEPSS 0.2%CVE-2025-64147MEDIUMJenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackeEPSS 0.2%