Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for Jenkins Credentials Plugin by Jenkins Project
CVE-2024-47805 (GCVE-0-2024-47805)
Vulnerability from nvd – Published: 2024-10-02 15:35 – Updated: 2025-03-14 15:02
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2024-10-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins Project | Jenkins Credentials Plugin |
Unaffected:
1371.1373.v4eb_fa_b_7161e9
Affected: 0 , ≤ 1380.va_435002fa_924 (maven) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T15:02:05.194480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:02:44.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"status": "unaffected",
"version": "1371.1373.v4eb_fa_b_7161e9"
},
{
"lessThanOrEqual": "1380.va_435002fa_924",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI."
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:35:03.653Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-10-02",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3373"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2024-47805",
"datePublished": "2024-10-02T15:35:03.653Z",
"dateReserved": "2024-10-01T20:59:52.483Z",
"dateUpdated": "2025-03-14T15:02:44.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29036 (GCVE-0-2022-29036)
Vulnerability from nvd – Published: 2022-04-12 00:00 – Updated: 2024-08-03 06:10
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Credentials Plugin |
Unaffected:
2.6.1.1
Unaffected: 1074.1076.v39c30cecb_0e2 Unaffected: 1087.1089.v2f1b_9a_b_040e4 Affected: unspecified , ≤ 1111.v35a_307992395 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:58.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "unaffected",
"version": "2.6.1.1"
},
{
"status": "unaffected",
"version": "1074.1076.v39c30cecb_0e2"
},
{
"status": "unaffected",
"version": "1087.1089.v2f1b_9a_b_040e4"
},
{
"lessThanOrEqual": "1111.v35a_307992395",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:21:18.906Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-29036",
"datePublished": "2022-04-12T00:00:00.000Z",
"dateReserved": "2022-04-11T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:10:58.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21648 (GCVE-0-2021-21648)
Vulnerability from nvd – Published: 2021-05-11 14:15 – Updated: 2024-08-03 18:16
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2021-05-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Credentials Plugin |
Affected:
unspecified , ≤ 2.3.18
(custom)
Unaffected: 2.3.0.1 Unaffected: 2.3.7.1 Unaffected: 2.3.14.1 Unaffected: 2.3.13.1 Unaffected: 2.3.15.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:23.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "2.3.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.3.0.1"
},
{
"status": "unaffected",
"version": "2.3.7.1"
},
{
"status": "unaffected",
"version": "2.3.14.1"
},
{
"status": "unaffected",
"version": "2.3.13.1"
},
{
"status": "unaffected",
"version": "2.3.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T15:51:12.831Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2021-21648",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Credentials Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.3.18"
},
{
"version_affected": "!",
"version_value": "2.3.0.1"
},
{
"version_affected": "!",
"version_value": "2.3.7.1"
},
{
"version_affected": "!",
"version_value": "2.3.14.1"
},
{
"version_affected": "!",
"version_value": "2.3.13.1"
},
{
"version_affected": "!",
"version_value": "2.3.15.1"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2021-21648",
"datePublished": "2021-05-11T14:15:20.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:16:23.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10320 (GCVE-0-2019-10320)
Vulnerability from nvd – Published: 2019-05-21 13:00 – Updated: 2024-08-04 22:17
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Severity
No CVSS data available.
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2019/05/21/1 | mailing-listx_refsource_MLIST |
| http://seclists.org/fulldisclosure/2019/May/39 | mailing-listx_refsource_FULLDISC |
| http://www.securityfocus.com/bid/108462 | vdb-entryx_refsource_BID |
| https://wwws.nightwatchcybersecurity.com/2019/05/… | x_refsource_MISC |
| https://access.redhat.com/errata/RHBA-2019:1605 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2019:1636 | vendor-advisoryx_refsource_REDHAT |
| https://jenkins.io/security/advisory/2019-05-21/#… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Credentials Plugin |
Affected:
2.1.18 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:17:20.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"
},
{
"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/May/39"
},
{
"name": "108462",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108462"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"
},
{
"name": "RHBA-2019:1605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"name": "RHSA-2019:1636",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "2.1.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:47:19.215Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"
},
{
"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/May/39"
},
{
"name": "108462",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108462"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"
},
{
"name": "RHBA-2019:1605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"name": "RHSA-2019:1636",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10320",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Credentials Plugin",
"version": {
"version_data": [
{
"version_value": "2.1.18 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"
},
{
"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/May/39"
},
{
"name": "108462",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108462"
},
{
"name": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/",
"refsource": "MISC",
"url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"
},
{
"name": "RHBA-2019:1605",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"name": "RHSA-2019:1636",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"name": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10320",
"datePublished": "2019-05-21T13:00:22.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:17:20.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47805 (GCVE-0-2024-47805)
Vulnerability from cvelistv5 – Published: 2024-10-02 15:35 – Updated: 2025-03-14 15:02
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2024-10-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins Project | Jenkins Credentials Plugin |
Unaffected:
1371.1373.v4eb_fa_b_7161e9
Affected: 0 , ≤ 1380.va_435002fa_924 (maven) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T15:02:05.194480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:02:44.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"status": "unaffected",
"version": "1371.1373.v4eb_fa_b_7161e9"
},
{
"lessThanOrEqual": "1380.va_435002fa_924",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI."
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:35:03.653Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-10-02",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3373"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2024-47805",
"datePublished": "2024-10-02T15:35:03.653Z",
"dateReserved": "2024-10-01T20:59:52.483Z",
"dateUpdated": "2025-03-14T15:02:44.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29036 (GCVE-0-2022-29036)
Vulnerability from cvelistv5 – Published: 2022-04-12 00:00 – Updated: 2024-08-03 06:10
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Credentials Plugin |
Unaffected:
2.6.1.1
Unaffected: 1074.1076.v39c30cecb_0e2 Unaffected: 1087.1089.v2f1b_9a_b_040e4 Affected: unspecified , ≤ 1111.v35a_307992395 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:58.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "unaffected",
"version": "2.6.1.1"
},
{
"status": "unaffected",
"version": "1074.1076.v39c30cecb_0e2"
},
{
"status": "unaffected",
"version": "1087.1089.v2f1b_9a_b_040e4"
},
{
"lessThanOrEqual": "1111.v35a_307992395",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:21:18.906Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-29036",
"datePublished": "2022-04-12T00:00:00.000Z",
"dateReserved": "2022-04-11T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:10:58.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21648 (GCVE-0-2021-21648)
Vulnerability from cvelistv5 – Published: 2021-05-11 14:15 – Updated: 2024-08-03 18:16
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2021-05-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Credentials Plugin |
Affected:
unspecified , ≤ 2.3.18
(custom)
Unaffected: 2.3.0.1 Unaffected: 2.3.7.1 Unaffected: 2.3.14.1 Unaffected: 2.3.13.1 Unaffected: 2.3.15.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:23.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "2.3.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.3.0.1"
},
{
"status": "unaffected",
"version": "2.3.7.1"
},
{
"status": "unaffected",
"version": "2.3.14.1"
},
{
"status": "unaffected",
"version": "2.3.13.1"
},
{
"status": "unaffected",
"version": "2.3.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T15:51:12.831Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2021-21648",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Credentials Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.3.18"
},
{
"version_affected": "!",
"version_value": "2.3.0.1"
},
{
"version_affected": "!",
"version_value": "2.3.7.1"
},
{
"version_affected": "!",
"version_value": "2.3.14.1"
},
{
"version_affected": "!",
"version_value": "2.3.13.1"
},
{
"version_affected": "!",
"version_value": "2.3.15.1"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2349"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2021-21648",
"datePublished": "2021-05-11T14:15:20.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:16:23.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10320 (GCVE-0-2019-10320)
Vulnerability from cvelistv5 – Published: 2019-05-21 13:00 – Updated: 2024-08-04 22:17
VLAI
EPSS
VEX
Summary
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Severity
No CVSS data available.
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2019/05/21/1 | mailing-listx_refsource_MLIST |
| http://seclists.org/fulldisclosure/2019/May/39 | mailing-listx_refsource_FULLDISC |
| http://www.securityfocus.com/bid/108462 | vdb-entryx_refsource_BID |
| https://wwws.nightwatchcybersecurity.com/2019/05/… | x_refsource_MISC |
| https://access.redhat.com/errata/RHBA-2019:1605 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2019:1636 | vendor-advisoryx_refsource_REDHAT |
| https://jenkins.io/security/advisory/2019-05-21/#… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Credentials Plugin |
Affected:
2.1.18 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:17:20.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"
},
{
"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/May/39"
},
{
"name": "108462",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108462"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"
},
{
"name": "RHBA-2019:1605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"name": "RHSA-2019:1636",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Credentials Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "2.1.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:47:19.215Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"
},
{
"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/May/39"
},
{
"name": "108462",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108462"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"
},
{
"name": "RHBA-2019:1605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"name": "RHSA-2019:1636",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10320",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Credentials Plugin",
"version": {
"version_data": [
{
"version_value": "2.1.18 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"
},
{
"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/May/39"
},
{
"name": "108462",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108462"
},
{
"name": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/",
"refsource": "MISC",
"url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"
},
{
"name": "RHBA-2019:1605",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"name": "RHSA-2019:1636",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"name": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10320",
"datePublished": "2019-05-21T13:00:22.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:17:20.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}