Latest jenkins jenkins Vulnerabilities

CVE-2024-23898
Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through ...
Jenkins Jenkins=2.442
Jenkins Jenkins=LTS 2.426.3
redhat/Jenkins<2.442
redhat/Jenkins LTS<2.426.3
maven/org.jenkins-ci.main:jenkins-core>=2.427<=2.440
maven/org.jenkins-ci.main:jenkins-core>=2.217<=2.426.2
and 5 more
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, ...
Jenkins CI/CD=2.442
Jenkins CI/CD=LTS 2.426.3
Jenkins Jenkins<2.426.3
Jenkins Jenkins<2.442
maven/org.jenkins-ci.main:jenkins-core>=2.427<2.440.1
maven/org.jenkins-ci.main:jenkins-core=2.441
and 3 more
CVE-2023-36478
HTTP/2 HPACK integer overflow and buffer allocation
debian/jetty9<=9.4.16-0+deb10u1<=9.4.39-3+deb11u2
redhat/http2-hpack<10.0.16
redhat/http2-hpack<11.0.16
redhat/http2-hpack<9.4.53
redhat/http3-qpack<10.0.16
redhat/http3-qpack<11.0.161
and 15 more
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 553 more
CVE-2023-43498
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API `MultipartFormDataParser` create temporary files in the system tempora...
Jenkins Jenkins<2.414.2
Jenkins Jenkins<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.415<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.50<2.414.2
CVE-2023-43497
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API `MultipartFormDataParser` create temporary files in the system tempora...
maven/org.jenkins-ci.main:jenkins-core>=2.415<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.50<2.414.2
Jenkins Jenkins<2.414.2
Jenkins Jenkins<2.424
CVE-2023-43496
Jenkins creates a temporary file when a plugin is deployed directly from a URL. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with t...
Jenkins Jenkins<2.414.2
Jenkins Jenkins<2.424
<2.414.2
<2.424
CVE-2023-43495
`ExpandableDetailsNote` allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape t...
Jenkins Jenkins<2.414.2
Jenkins Jenkins<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.415<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.50<2.414.2
CVE-2023-43494
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build histo...
Jenkins Jenkins>=2.50<2.424
Jenkins Jenkins>=2.60.1<2.414.2
CVE-2023-39151
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vuln...
Jenkins Jenkins<=2.415
Jenkins Jenkins<=2.401.2
CVE-2023-35141
In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a v...
Jenkins Jenkins<2.400
Jenkins Jenkins<2.401.1
CVE-2023-27904
A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkin...
maven/org.jenkins-ci.main:jenkins-core>=2.388<2.394
maven/org.jenkins-ci.main:jenkins-core>=2.376<2.387.1
maven/org.jenkins-ci.main:jenkins-core<2.375.4
<2.375.4
<2.394
Jenkins Jenkins<2.375.4
and 10 more
CVE-2023-27903
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter thro...
<2.375.4
<2.394
Jenkins Jenkins<2.375.4
Jenkins Jenkins<2.394
maven/org.jenkins-ci.main:jenkins-core>=2.388<2.394
maven/org.jenkins-ci.main:jenkins-core>=2.376<2.387.1
and 4 more
CVE-2023-27902
Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are ad...
redhat/jenkins<0:2.387.3.1684911776-3.el8
<2.375.4
<2.394
Jenkins Jenkins<2.375.4
Jenkins Jenkins<2.394
maven/org.jenkins-ci.main:jenkins-core>=2.388<2.394
and 5 more
CVE-2023-27901
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in ...
maven/org.jenkins-ci.main:jenkins-core>=2.376<2.387.1
maven/org.jenkins-ci.main:jenkins-core>=2.388<2.394
maven/org.jenkins-ci.main:jenkins-core<2.375.4
<2.375.4
<2.394
Jenkins Jenkins<2.375.4
and 5 more
CVE-2023-27899
A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If these permissions are overly permissive, they may allow attackers with acce...
redhat/jenkins<0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.387.1.1680701869-1.el8
<2.375.4
<2.394
Jenkins Jenkins<2.375.4
Jenkins Jenkins<2.394
and 3 more
CVE-2023-27900
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process upload...
maven/org.jenkins-ci.main:jenkins-core>=2.376<2.387.1
maven/org.jenkins-ci.main:jenkins-core>=2.388<2.394
maven/org.jenkins-ci.main:jenkins-core<2.375.4
Jenkins Jenkins<2.375.4
Jenkins Jenkins<2.394
redhat/Jenkins<2.394
and 3 more
CVE-2023-27898
A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current versi...
redhat/jenkins<0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.387.1.1680701869-1.el8
>=2.270<2.394
>=2.277.1<2.375.4
Jenkins Jenkins>=2.270<2.394
Jenkins Jenkins>=2.277.1<2.375.4
and 5 more
CVE-2022-43422
Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain t...
Jenkins Compuware Topaz Utilities<1.0.9
Jenkins Jenkins<=2.138
Jenkins Jenkins<=2.303.2
<1.0.9
<=2.138
<=2.303.2
and 1 more
CVE-2022-43423
BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able t...
Jenkins Compuware Source Code Download For Endevor\, Pds\, And Ispw<2.0.13
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
<2.0.13
<=2.303.2
<=2.318
and 1 more
CVE-2022-43424
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to o...
Jenkins Compuware Xpediter Code<=1.0.7
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
Jenkins Compuware Xpediter Code Coverage<1.0.8
maven/com.compuware.jenkins:compuware-xpediter-code-coverage<1.0.8
Jenkins Compuware Xpediter Code Coverage<1.0.8
and 2 more
CVE-2022-43428
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes ...
maven/com.compuware.jenkins:compuware-topaz-for-total-test<=2.4.8
Jenkins Compuware Topaz For Total Test<=2.4.8
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
Jenkins Compuware Topaz For Total Test<=2.4.8
Jenkins Jenkins<=2.303.2
and 1 more
CVE-2022-43429
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes ...
Jenkins Compuware Topaz For Total Test<=2.4.8
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
Jenkins Compuware Topaz For Total Test<=2.4.8
CVE-2022-43416
Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments. It allows attack...
maven/org.jenkins-ci.plugins:katalon<1.0.33
Jenkins Katalon<1.0.33
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
Jenkins Katalon<1.0.33
Jenkins Jenkins<=2.303.2
and 1 more
CVE-2022-41224
Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the `l:helpIcon` UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) ...
Jenkins Jenkins>=2.367<=2.369
Jenkins Jenkins>=2.367<2.370
maven/org.jenkins-ci.main:jenkins-core>=2.367<2.370
>=2.367<2.370
CVE-2022-36899
Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java syst...
Jenkins Compuware Ispw Operations<1.0.9
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
CVE-2022-36900
Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system ...
maven/com.compuware.jenkins:compuware-zadviser-api<=1.0.3
Jenkins Compuware Zadviser Api<=1.0.3
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
Jenkins Compuware Zadviser Api<=1.0.3
Jenkins Jenkins<=2.303.2
and 1 more
CVE-2022-2048
### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the...
redhat/jenkins<0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.361.1.1672840472-1.el8
redhat/jenkins<0:2.361.1.1675668150-1.el8
maven/org.eclipse.jetty.http2:http2-server>=11.0.0<11.0.10
maven/org.eclipse.jetty.http2:http2-server>=10.0.0<10.0.10
maven/org.eclipse.jetty.http2:http2-server<9.4.47
and 14 more
CVE-2022-34171
Jenkins Jenkins>=2.321<=2.355
Jenkins Jenkins>=2.332.1<=2.332.3
CVE-2022-34175
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing...
Jenkins Jenkins>=2.335<=2.355
maven/org.jenkins-ci.main:jenkins-core>=2.335<2.356
CVE-2022-34172
Jenkins Jenkins>=2.340<=2.355
CVE-2022-34173
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerabili...
Jenkins Jenkins>=2.340<=2.355
CVE-2022-34170
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the...
Jenkins Jenkins>=2.320<=2.355
Jenkins Jenkins>=2.332.1<=2.332.3
maven/org.jenkins-ci.main:jenkins-core>=2.346<2.346.1
maven/org.jenkins-ci.main:jenkins-core>=2.320<2.332.4
maven/org.jenkins-ci.main:jenkins-core>=2.350<2.356
CVE-2022-34174
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with...
redhat/jenkins<0:2.361.1.1675406172-1.el8
redhat/jenkins<0:2.361.1.1672840472-1.el8
redhat/jenkins<0:2.361.1.1675668150-1.el8
<=2.332.3
<=2.355
Jenkins Jenkins<=2.332.3
and 3 more
CVE-2022-27201
Jenkins Semantic Versioning<=1.13
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
CVE-2022-0538
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained re...
Jenkins Jenkins<2.319.3
Jenkins Jenkins<2.334
maven/org.jenkins-ci.main:jenkins-core<2.319.3
maven/org.jenkins-ci.main:jenkins-core>=2.320<2.334
CVE-2022-20612
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.
maven/org.jenkins-ci.main:jenkins-core>=2.320<2.330
maven/org.jenkins-ci.main:jenkins-core<2.319.2
Jenkins Jenkins<=2.319.1
Jenkins Jenkins<=2.329
Oracle Communications Cloud Native Core Automated Test Suite=1.9.0
CVE-2021-21697
Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the di...
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21695
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<2.303.3
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21696
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the `libs/` directory inside build directories when using the `FilePath` APIs. This directory is used by th...
Jenkins Jenkins<=2.303.2
Jenkins Jenkins<=2.318
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21694
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21693
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
maven/org.jenkins-ci.main:jenkins-core<2.303.3
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
CVE-2021-21691
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21692
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21690
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21689
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
maven/org.jenkins-ci.main:jenkins-core<2.303.3
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21688
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
maven/org.jenkins-ci.main:jenkins-core<=2.303.2
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
CVE-2021-21687
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
CVE-2021-21685
FilePath#mkdirs does not check permission to create parent directories.
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
maven/org.jenkins-ci.main:jenkins-core<2.303.2
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
and 2 more
CVE-2021-21686
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenki...
redhat/jenkins<2.319
redhat/jenkins LTS<2.303.3
Jenkins Jenkins<2.303.3
Jenkins Jenkins<2.319
maven/org.jenkins-ci.main:jenkins-core>=2.304<=2.318
maven/org.jenkins-ci.main:jenkins-core<2.303.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203