CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2025-31728
https://notcve.org/view.php?id=CVE-2025-31728
02 Apr 2025 — Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3523 •
CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2025-31727
https://notcve.org/view.php?id=CVE-2025-31727
02 Apr 2025 — Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3523 •
CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2025-31726
https://notcve.org/view.php?id=CVE-2025-31726
02 Apr 2025 — Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3520 •
CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2025-31725
https://notcve.org/view.php?id=CVE-2025-31725
02 Apr 2025 — Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3539 •
CVSS: 5.0EPSS: %CPEs: 1EXPL: 0CVE-2025-31723
https://notcve.org/view.php?id=CVE-2025-31723
02 Apr 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3469 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: %CPEs: 1EXPL: 0CVE-2025-31722
https://notcve.org/view.php?id=CVE-2025-31722
02 Apr 2025 — In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3505 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30196
https://notcve.org/view.php?id=CVE-2025-30196
19 Mar 2025 — Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. • https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3529 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24403
https://notcve.org/view.php?id=CVE-2025-24403
22 Jan 2025 — A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3094 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24402
https://notcve.org/view.php?id=CVE-2025-24402
22 Jan 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3094 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24400
https://notcve.org/view.php?id=CVE-2025-24400
22 Jan 2025 — Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3485 • CWE-863: Incorrect Authorization •