CVE-2024-9453
- EPSS 0.34%
- Veröffentlicht 04.07.2025 08:36:35
- Zuletzt bearbeitet 18.08.2025 19:02:46
A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a mal...
CVE-2025-31720
- EPSS 0.39%
- Veröffentlicht 02.04.2025 15:15:59
- Zuletzt bearbeitet 29.04.2025 14:03:21
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.
CVE-2025-31721
- EPSS 0.38%
- Veröffentlicht 02.04.2025 15:15:59
- Zuletzt bearbeitet 29.04.2025 13:56:43
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
CVE-2025-27623
- EPSS 0.32%
- Veröffentlicht 05.03.2025 23:15:14
- Zuletzt bearbeitet 24.06.2025 00:46:38
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.
CVE-2025-27624
- EPSS 0.41%
- Veröffentlicht 05.03.2025 23:15:14
- Zuletzt bearbeitet 24.06.2025 00:45:20
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).
CVE-2025-27625
- EPSS 0.58%
- Veröffentlicht 05.03.2025 23:15:14
- Zuletzt bearbeitet 24.06.2025 00:42:16
In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different si...
CVE-2025-27622
- EPSS 0.73%
- Veröffentlicht 05.03.2025 23:15:13
- Zuletzt bearbeitet 24.06.2025 00:48:40
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.
CVE-2024-47803
- EPSS 0.82%
- Veröffentlicht 02.10.2024 16:15:10
- Zuletzt bearbeitet 19.03.2025 18:15:23
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
CVE-2024-47804
- EPSS 0.67%
- Veröffentlicht 02.10.2024 16:15:10
- Zuletzt bearbeitet 14.03.2025 16:15:36
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2...
CVE-2024-43044
- EPSS 28.78%
- Veröffentlicht 07.08.2024 14:15:33
- Zuletzt bearbeitet 14.03.2025 20:15:13
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.