jenkins

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Extendable continuous integration server (latest)
Version 2.485-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2678 0.0.0-1 High Not affected
AVG-2526 2.318-1 2.319-1 Critical Fixed
AVG-2449 2.314-1 Medium Not affected
AVG-2448 2.314-1 2.315-1 Medium Fixed
AVG-2118 2.299-1 2.300-1 High Fixed
AVG-1841 2.285-1 2.286-1 High Not affected
AVG-1781 2.286-1 2.287-1 Medium Fixed
AVG-1595 2.279-1 2.280-1 High Fixed
AVG-1491 2.275-1 2.276-1 Medium Fixed
AVG-1446 2.274-1 2.275-1 High Fixed
AVG-1030 2.189-1 2.192-1 Medium Fixed
AVG-1012 2.185-1 2.186-1 High Fixed
AVG-948 2.171-1 2.172-1 Medium Fixed
AVG-778 2.145-1 2.146-1 Medium Fixed
AVG-738 2.132-1 2.133-1 High Fixed
AVG-543 2.93-1 2.94-1 Medium Fixed
AVG-255 2.56-1 2.57-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2022-28160 AVG-2678 Medium Yes Arbitrary filesystem access
Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller.
CVE-2022-28159 AVG-2678 Medium Yes Cross-site scripting
Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored...
CVE-2022-28158 AVG-2678 Medium Yes Information disclosure
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate...
CVE-2022-28157 AVG-2678 Medium Yes Arbitrary file upload
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins...
CVE-2022-28156 AVG-2678 Medium Yes Information disclosure
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the...
CVE-2022-28155 AVG-2678 High Yes Xml external entity injection
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28154 AVG-2678 High Yes Xml external entity injection
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28153 AVG-2678 Medium Yes Cross-site scripting
Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS)...
CVE-2022-28152 AVG-2678 Medium Yes Cross-site scripting
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default...
CVE-2022-28151 AVG-2678 Medium Yes Access restriction bypass
A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and...
CVE-2022-28150 AVG-2678 High Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and...
CVE-2022-28149 AVG-2678 Medium Yes Cross-site scripting
Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross- site scripting...
CVE-2022-28148 AVG-2678 Medium Yes Arbitrary filesystem access
The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting...
CVE-2022-28147 AVG-2678 Medium Yes Information disclosure
A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check...
CVE-2022-28146 AVG-2678 Medium Yes Arbitrary filesystem access
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins...
CVE-2022-28145 AVG-2678 Medium Yes Cross-site scripting
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in...
CVE-2022-28144 AVG-2678 Medium Yes Unknown
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to...
CVE-2022-28143 AVG-2678 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker- specified host...
CVE-2022-28142 AVG-2678 High Yes Unknown
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues.
CVE-2022-28141 AVG-2678 Medium Yes Information disclosure
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it...
CVE-2022-28140 AVG-2678 High Yes Xml external entity injection
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28139 AVG-2678 Medium Yes Unknown
A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an...
CVE-2022-28138 AVG-2678 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an...
CVE-2022-28137 AVG-2678 Medium Yes Unknown
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect...
CVE-2022-28136 AVG-2678 High Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an...
CVE-2022-28135 AVG-2678 Medium Yes Information disclosure
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins...
CVE-2022-28134 AVG-2678 Medium Yes Unknown
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with...
CVE-2022-28133 AVG-2678 Medium Yes Cross-site scripting
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored...
CVE-2021-28165 AVG-1841 High Yes Denial of service
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is...
CVE-2021-22112 AVG-1595 High Yes Privilege escalation
A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their...
CVE-2021-21697 AVG-2526 High Yes Arbitrary filesystem access
Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins before 2.319...
CVE-2021-21696 AVG-2526 High Yes Sandbox escape
Jenkins before version 2.319 does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This...
CVE-2021-21695 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#listFiles lists files outside directories with agent read access when following...
CVE-2021-21694 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and...
CVE-2021-21693 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. When creating temporary files, permission to create files is only checked after they’ve...
CVE-2021-21692 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission...
CVE-2021-21691 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. Creating symbolic links is possible without the symlink permission. This allows agent...
CVE-2021-21690 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. Agent processes are able to completely bypass file path filtering by wrapping the file...
CVE-2021-21689 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#unzip and FilePath#untar were not subject to any access control. This allows agent...
CVE-2021-21688 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#reading(FileVisitor) does not reject any operations, allowing users to have...
CVE-2021-21687 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#untar does not check permission to create symbolic links when unarchiving a...
CVE-2021-21686 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. File path filters do not canonicalize paths, allowing operations to follow symbolic links...
CVE-2021-21685 AVG-2526 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#mkdirs does not check permission to create parent directories. This allows agent...
CVE-2021-21683 AVG-2449 Medium Yes Directory traversal
The file browser in Jenkins 2.314 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing...
CVE-2021-21682 AVG-2449 Medium Yes Directory traversal
Jenkins 2.314 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other...
CVE-2021-21671 AVG-2118 High Yes Authentication bypass
Jenkins 2.299 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain...
CVE-2021-21670 AVG-2118 Medium Yes Access restriction bypass
Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have...
CVE-2021-21640 AVG-1781 Medium Yes Insufficient validation
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with...
CVE-2021-21639 AVG-1781 Medium Yes Insufficient validation
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API...
CVE-2021-21615 AVG-1491 Medium Yes Directory traversal
Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows...
CVE-2021-21611 AVG-1446 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored...
CVE-2021-21610 AVG-1446 High Yes Cross-site scripting
Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a...
CVE-2021-21609 AVG-1446 Low Yes Insufficient validation
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from...
CVE-2021-21608 AVG-1446 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability...
CVE-2021-21607 AVG-1446 Medium Yes Denial of service
Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Jenkins...
CVE-2021-21606 AVG-1446 Medium Yes Information disclosure
Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier...
CVE-2021-21605 AVG-1446 High Yes Directory traversal
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override...
CVE-2021-21604 AVG-1446 High Yes Incorrect calculation
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS...
CVE-2021-21603 AVG-1446 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply...
CVE-2021-21602 AVG-1446 Medium Yes Arbitrary filesystem access
A security issue was found in Jenkins before version 2.275. The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows...
CVE-2019-1003050 AVG-948 Medium Yes Cross-site scripting
The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting (XSS) vulnerability...
CVE-2019-1003049 AVG-948 Medium Yes Access restriction bypass
A security issue has been found in Jenkins before 2.172, where the fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based...
CVE-2019-10384 AVG-1030 Medium Yes Cross-site request forgery
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the...
CVE-2019-10383 AVG-1030 Low Yes Cross-site scripting
Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting...
CVE-2019-10354 AVG-1012 High Yes Access restriction bypass
A security issue has been found in Jenkins before 2.186. Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised...
CVE-2019-10353 AVG-1012 High Yes Cross-site request forgery
By default, CSRF tokens in Jenkins before 2.186 only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for...
CVE-2019-10352 AVG-1012 High Yes Arbitrary file overwrite
A vulnerability has been found in Jenkins before 2.186, where users with Job/Configure permission could specify a relative path escaping the base directory...
CVE-2018-1999043 AVG-778 Medium Yes Access restriction bypass
A security issue has been found in Jenkins version prior to 2.146. When attempting to authenticate using API token, an ephemeral user record was created to...
CVE-2018-1999007 AVG-738 Medium Yes Cross-site scripting
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information....
CVE-2018-1999006 AVG-738 Medium Yes Information disclosure
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users...
CVE-2018-1999005 AVG-738 Medium Yes Cross-site scripting
The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a...
CVE-2018-1999004 AVG-738 Medium Yes Access restriction bypass
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999003 AVG-738 Medium Yes Access restriction bypass
The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999002 AVG-738 High Yes Arbitrary filesystem access
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests...
CVE-2018-1999001 AVG-738 High Yes Access restriction bypass
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home...
CVE-2017-1000356 AVG-255 High Yes Cross-site request forgery
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into...
CVE-2017-1000355 AVG-255 Medium Yes Arbitrary code execution
Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to...
CVE-2017-1000354 AVG-255 High Yes Privilege escalation
The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to...
CVE-2017-17383 AVG-543 Medium Yes Cross-site scripting
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated...
CVE-2014-3577 AVG-2448 Medium Yes Certificate verification bypass
Jenkins 2.314 and earlier bundles a version of the commons-httpclient library with the vulnerability CVE-2014-3577 that incorrectly verified SSL/TLS...

Advisories

Date Advisory Group Severity Type
05 Nov 2021 ASA-202111-1 AVG-2526 Critical multiple issues
01 Jul 2021 ASA-202107-5 AVG-2118 High multiple issues
20 Jan 2021 ASA-202101-41 AVG-1446 High multiple issues
30 Aug 2019 ASA-201908-22 AVG-1030 Medium multiple issues
11 Apr 2019 ASA-201904-7 AVG-948 Medium multiple issues
21 Jul 2018 ASA-201807-14 AVG-738 High multiple issues
27 Apr 2017 ASA-201704-8 AVG-255 High multiple issues