Vulnerabilidades en Jenkins project

1522 resultados
Análisis Vexday

Com 1.064 CVEs catalogadas, o Jenkins Project acumula um volume expressivo de vulnerabilidades históricas, embora a taxa de exploração ativa — 0,19% das CVEs presentes no catálogo CISA KEV — esteja abaixo da média geral do catálogo (0,45%), o que sugere que a maioria das falhas não chegou a ser amplamente weaponizada. O ponto de maior atenção é o EPSS máximo observado de 0,9843, indicando que ao menos uma vulnerabilidade no portfólio apresenta probabilidade de exploração extremamente elevada segundo modelos preditivos. A CVE mais perigosa em exploração ativa, CVE-2019-1003030, carrega um EPSS de 0,7596, reforçando a necessidade de priorizar ambientes que ainda não aplicaram as correções correspondentes. O tipo de falha mais comum, CWE-862 (ausência de verificação de autorização), combinado com 11 CVEs com PoC pública, aponta para uma superfície de ataque relevante que exige controle rigoroso de permissões e aplicação consistente de patches.

CVE-2022-34208A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an EPSS 0.6%CVE-2023-41939HIGHJenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users fEPSS 0.6%CVE-2023-41945Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permiEPSS 0.6%CVE-2022-36897A missing permission check in Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier allows attackers with Overall/Read permissioEPSS 0.5%CVE-2022-36915Jenkins Android Signing Plugin 2.2.5 and earlier does not perform a permission check in a method implementing form validation, allowing attaEPSS 0.5%CVE-2022-36892Jenkins rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation, allowing attacEPSS 0.5%CVE-2022-36895A missing permission check in Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier allows attackers with Overall/Read permission to enEPSS 0.5%CVE-2023-40348The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs inEPSS 0.5%CVE-2023-41934Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of EPSS 0.5%CVE-2022-25200A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attackeEPSS 0.5%CVE-2023-41940Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitEPSS 0.5%CVE-2023-30526MEDIUMA missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an atEPSS 0.5%CVE-2022-43432MEDIUMJenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content iEPSS 0.5%CVE-2022-25195A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacEPSS 0.5%CVE-2019-16545Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration formsEPSS 0.5%CVE-2022-43413MEDIUMJenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permEPSS 0.5%CVE-2022-28143A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-speEPSS 0.5%CVE-2023-40341A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attackerEPSS 0.5%CVE-2022-34798Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers witEPSS 0.5%CVE-2022-41250MEDIUMA missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an aEPSS 0.5%