Jenkins

Jenkins

251 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2024-47803

  • EPSS 0.1%
  • Published 02.10.2024 16:15:10
  • Last modified 19.03.2025 18:15:23

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.

4.3

CVE-2024-47804

  • EPSS 0.18%
  • Published 02.10.2024 16:15:10
  • Last modified 14.03.2025 16:15:36

If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2...

8.8

CVE-2024-43044

  • EPSS 45.97%
  • Published 07.08.2024 14:15:33
  • Last modified 14.03.2025 20:15:13

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

6.3

CVE-2024-43045

  • EPSS 0.16%
  • Published 07.08.2024 14:15:33
  • Last modified 25.03.2025 17:16:05

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".

6.8

CVE-2024-34148

  • EPSS 0.31%
  • Published 02.05.2024 14:15:10
  • Last modified 06.06.2025 15:28:57

Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefined...

9.8

CVE-2024-23897

Warning Media report Exploit
  • EPSS 94.47%
  • Published 24.01.2024 18:15:09
  • Last modified 20.12.2024 17:30:33

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitra...

8.8

CVE-2024-23898

  • EPSS 26.46%
  • Published 24.01.2024 18:15:09
  • Last modified 21.11.2024 08:58:39

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, al...

7.5

CVE-2023-36478

Exploit
  • EPSS 1.03%
  • Published 10.10.2023 17:15:11
  • Last modified 21.11.2024 08:09:47

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their ...

7.5

CVE-2023-44487

Warning Media report Exploit
  • EPSS 94.44%
  • Published 10.10.2023 14:15:10
  • Last modified 11.06.2025 17:29:54

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

4.3

CVE-2023-43494

  • EPSS 42.1%
  • Published 20.09.2023 17:15:11
  • Last modified 21.11.2024 08:24:09

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permi...