CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30196
https://notcve.org/view.php?id=CVE-2025-30196
19 Mar 2025 — Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. • https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3529 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24403
https://notcve.org/view.php?id=CVE-2025-24403
22 Jan 2025 — A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3094 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24402
https://notcve.org/view.php?id=CVE-2025-24402
22 Jan 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3094 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24400
https://notcve.org/view.php?id=CVE-2025-24400
22 Jan 2025 — Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3485 • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24399
https://notcve.org/view.php?id=CVE-2025-24399
22 Jan 2025 — Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461 • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24398
https://notcve.org/view.php?id=CVE-2025-24398
22 Jan 2025 — Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3434 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24397
https://notcve.org/view.php?id=CVE-2025-24397
22 Jan 2025 — An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3260 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54004
https://notcve.org/view.php?id=CVE-2024-54004
27 Nov 2024 — Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3367 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54003
https://notcve.org/view.php?id=CVE-2024-54003
27 Nov 2024 — Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3467 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52554
https://notcve.org/view.php?id=CVE-2024-52554
13 Nov 2024 — Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466 • CWE-862: Missing Authorization •