CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24399
https://notcve.org/view.php?id=CVE-2025-24399
22 Jan 2025 — Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461 • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24398
https://notcve.org/view.php?id=CVE-2025-24398
22 Jan 2025 — Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3434 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24397
https://notcve.org/view.php?id=CVE-2025-24397
22 Jan 2025 — An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3260 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54004
https://notcve.org/view.php?id=CVE-2024-54004
27 Nov 2024 — Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3367 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54003
https://notcve.org/view.php?id=CVE-2024-54003
27 Nov 2024 — Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3467 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52554
https://notcve.org/view.php?id=CVE-2024-52554
13 Nov 2024 — Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52553
https://notcve.org/view.php?id=CVE-2024-52553
13 Nov 2024 — Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3473 • CWE-613: Insufficient Session Expiration •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52552
https://notcve.org/view.php?id=CVE-2024-52552
13 Nov 2024 — Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47807
https://notcve.org/view.php?id=CVE-2024-47807
02 Oct 2024 — Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(2) • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47806
https://notcve.org/view.php?id=CVE-2024-47806
02 Oct 2024 — Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(1) • CWE-287: Improper Authentication •