CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47889
https://notcve.org/view.php?id=CVE-2025-47889
14 May 2025 — In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. • https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481 • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47888
https://notcve.org/view.php?id=CVE-2025-47888
14 May 2025 — Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. • https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3353 • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32755
https://notcve.org/view.php?id=CVE-2025-32755
10 Apr 2025 — In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter. • https://www.jenkins.io/security/advisory/2025-04-10/#SECURITY-3565 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32754
https://notcve.org/view.php?id=CVE-2025-32754
10 Apr 2025 — In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter. • https://www.jenkins.io/security/advisory/2025-04-10/#SECURITY-3565 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31728
https://notcve.org/view.php?id=CVE-2025-31728
02 Apr 2025 — Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3523 • CWE-549: Missing Password Field Masking •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31727
https://notcve.org/view.php?id=CVE-2025-31727
02 Apr 2025 — Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3523 • CWE-549: Missing Password Field Masking •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31726
https://notcve.org/view.php?id=CVE-2025-31726
02 Apr 2025 — Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3520 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31725
https://notcve.org/view.php?id=CVE-2025-31725
02 Apr 2025 — Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3539 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31724
https://notcve.org/view.php?id=CVE-2025-31724
02 Apr 2025 — Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3537 • CWE-256: Plaintext Storage of a Password •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31723
https://notcve.org/view.php?id=CVE-2025-31723
02 Apr 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order. • https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3469 • CWE-352: Cross-Site Request Forgery (CSRF) •