Vulnerabilities > Jenkins > Low

DATE CVE VULNERABILITY TITLE RISK
2020-09-01 CVE-2020-2249 Missing Encryption of Sensitive Data vulnerability in Jenkins Team Foundation Server
Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
local
low complexity
jenkins CWE-311
3.3
2019-10-16 CVE-2019-10450 Cleartext Storage of Sensitive Information vulnerability in Jenkins Elasticbox CI
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
local
low complexity
jenkins CWE-312
3.3
2019-10-01 CVE-2019-10433 Cleartext Storage of Sensitive Information vulnerability in Jenkins Dingding
Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
local
low complexity
jenkins CWE-312
3.3
2019-09-12 CVE-2019-10397 Cleartext Transmission of Sensitive Information vulnerability in Jenkins Aqua Security Severless Scanner
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
network
high complexity
jenkins CWE-319
3.1
2019-07-31 CVE-2019-10343 Information Exposure Through Log Files vulnerability in Jenkins Configuration AS Code
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.
local
low complexity
jenkins CWE-532
3.3
2019-01-09 CVE-2018-1000410 Information Exposure vulnerability in Jenkins
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.
local
low complexity
jenkins CWE-200
2.1
2018-08-01 CVE-2018-1999029 Cross-site Scripting vulnerability in Jenkins Shelve Project
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
network
jenkins CWE-79
3.5
2018-08-01 CVE-2018-1999041 Information Exposure vulnerability in Jenkins Tinfoil Security
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.
local
low complexity
jenkins CWE-200
2.1
2018-07-23 CVE-2018-1999005 Cross-site Scripting vulnerability in multiple products
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
3.5
2018-07-23 CVE-2018-1999007 Cross-site Scripting vulnerability in multiple products
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.
3.5