CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31723
https://notcve.org/view.php?id=CVE-2025-31723
02 Apr 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3469 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2025-31722
https://notcve.org/view.php?id=CVE-2025-31722
02 Apr 2025 — In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3505 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30196
https://notcve.org/view.php?id=CVE-2025-30196
19 Mar 2025 — Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. • https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3529 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27625
https://notcve.org/view.php?id=CVE-2025-27625
05 Mar 2025 — In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret these characters as part of scheme-relative redirects. • https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3501 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27624
https://notcve.org/view.php?id=CVE-2025-27624
05 Mar 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets). • https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3498 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27623
https://notcve.org/view.php?id=CVE-2025-27623
05 Mar 2025 — Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets. • https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3496 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27622
https://notcve.org/view.php?id=CVE-2025-27622
05 Mar 2025 — Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. • https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3495 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24403
https://notcve.org/view.php?id=CVE-2025-24403
22 Jan 2025 — A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3094 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24402
https://notcve.org/view.php?id=CVE-2025-24402
22 Jan 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3094 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24400
https://notcve.org/view.php?id=CVE-2025-24400
22 Jan 2025 — Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3485 • CWE-863: Incorrect Authorization •