Vulnerabilidades em Jenkins project

1.522 resultados
Análise Vexday

Com 1.064 CVEs catalogadas, o Jenkins Project acumula um volume expressivo de vulnerabilidades históricas, embora a taxa de exploração ativa — 0,19% das CVEs presentes no catálogo CISA KEV — esteja abaixo da média geral do catálogo (0,45%), o que sugere que a maioria das falhas não chegou a ser amplamente weaponizada. O ponto de maior atenção é o EPSS máximo observado de 0,9843, indicando que ao menos uma vulnerabilidade no portfólio apresenta probabilidade de exploração extremamente elevada segundo modelos preditivos. A CVE mais perigosa em exploração ativa, CVE-2019-1003030, carrega um EPSS de 0,7596, reforçando a necessidade de priorizar ambientes que ainda não aplicaram as correções correspondentes. O tipo de falha mais comum, CWE-862 (ausência de verificação de autorização), combinado com 11 CVEs com PoC pública, aponta para uma superfície de ataque relevante que exige controle rigoroso de permissões e aplicação consistente de patches.

CVE-2022-34808Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller wheEPSS 0.6%CVE-2023-40347Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowEPSS 0.6%CVE-2022-34799Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controlEPSS 0.6%CVE-2022-34811A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to aEPSS 0.6%CVE-2022-34814Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackEPSS 0.6%CVE-2023-46656Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the proEPSS 0.6%CVE-2022-34800Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller wEPSS 0.6%CVE-2022-34803Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the JenkEPSS 0.6%CVE-2023-24446HIGHA cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in tEPSS 0.6%CVE-2023-24458HIGHA cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-sEPSS 0.6%CVE-2024-28152MEDIUMIn Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests fEPSS 0.6%CVE-2025-64140HIGHJenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with IteEPSS 0.6%CVE-2023-24434HIGHA cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to conneEPSS 0.6%CVE-2023-37953A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attackerEPSS 0.6%CVE-2023-37951Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure pEPSS 0.6%CVE-2023-41932Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpointEPSS 0.6%CVE-2022-27204A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to coEPSS 0.6%CVE-2022-43417MEDIUMJenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/ReadEPSS 0.6%CVE-2022-34813A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to cEPSS 0.6%CVE-2022-34818Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attEPSS 0.6%