CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24399
https://notcve.org/view.php?id=CVE-2025-24399
22 Jan 2025 — Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461 • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24398
https://notcve.org/view.php?id=CVE-2025-24398
22 Jan 2025 — Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3434 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24397
https://notcve.org/view.php?id=CVE-2025-24397
22 Jan 2025 — An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3260 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54004
https://notcve.org/view.php?id=CVE-2024-54004
27 Nov 2024 — Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3367 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54003
https://notcve.org/view.php?id=CVE-2024-54003
27 Nov 2024 — Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3467 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52553
https://notcve.org/view.php?id=CVE-2024-52553
13 Nov 2024 — Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3473 • CWE-613: Insufficient Session Expiration •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52552
https://notcve.org/view.php?id=CVE-2024-52552
13 Nov 2024 — Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47807
https://notcve.org/view.php?id=CVE-2024-47807
02 Oct 2024 — Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(2) • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47806
https://notcve.org/view.php?id=CVE-2024-47806
02 Oct 2024 — Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(1) • CWE-287: Improper Authentication •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47804 – jenkins: Item creation restriction bypass vulnerability
https://notcve.org/view.php?id=CVE-2024-47804
02 Oct 2024 — If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction. A flaw was found in Jenkins. When attempting to crea... • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-1220: Insufficient Granularity of Access Control •