org.jenkins-ci.main:jenkins-core
Maven233 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.jenkins-ci.main:jenkins-corepage 1 of 5
- CVE-2011-4344NONECVSS 0.0✓ Fixed in 1.4382011-12-01
vulnerable: 1.410 ... 1.437 (34 versions)
Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to…
- CVE-2012-0324NONECVSS 0.0✓ Fixed in 1.424.52012-03-09
vulnerable: 1.396 ... 1.424.4 (35 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via …
- CVE-2012-0325NONECVSS 0.0✓ Fixed in 1.424.52012-03-09
vulnerable: 1.396 ... 1.424.4 (35 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via …
- CVE-2012-0785HIGHCVSS 7.5EG 7.5✓ Fixed in 1.424.22020-02-24
vulnerable: 1.396 ... 1.424.1 (32 versions)
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU lo…
- CVE-2012-4438HIGHCVSS 8.8EG 8.8✓ Fixed in 1.4822019-11-18
vulnerable: 1.467 ... 1.481 (18 versions)
Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.
- CVE-2012-4439MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.4822019-11-18
vulnerable: 1.467 ... 1.481 (18 versions)
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.
- CVE-2012-6072NONECVSS 0.0✓ Fixed in 1.480.12013-02-24
vulnerable: 1.396 ... 1.480 (97 versions)
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP he…
- CVE-2012-6073NONECVSS 0.0✓ Fixed in 1.4912013-02-24
vulnerable: 1.481 ... 1.490 (10 versions)
Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitra…
- CVE-2012-6074NONECVSS 0.0✓ Fixed in 1.480.12013-02-24
vulnerable: 1.396 ... 1.480 (97 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with …
- CVE-2013-0158NONECVSS 0.0✓ Fixed in 1.480.22013-02-24
vulnerable: 1.396 ... 1.480.1 (98 versions)
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote atta…
- CVE-2013-0327NONECVSS 0.0✓ Fixed in 1.480.32013-03-19
vulnerable: 1.396 ... 1.480.2 (99 versions)
Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.
- CVE-2013-0328NONECVSS 0.0✓ Fixed in 1.5022013-03-19
vulnerable: 1.396 ... 1.501 (121 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-0329NONECVSS 0.0✓ Fixed in 1.480.32013-03-19
vulnerable: 1.396 ... 1.480.2 (99 versions)
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.
- CVE-2013-0330NONECVSS 0.0✓ Fixed in 1.480.32013-03-19
vulnerable: 1.396 ... 1.480.2 (99 versions)
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.
- CVE-2013-0331NONECVSS 0.0✓ Fixed in 1.480.32013-03-19
vulnerable: 1.396 ... 1.480.2 (99 versions)
Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.
- CVE-2013-2033NONECVSS 0.0✓ Fixed in 1.5142014-04-10
vulnerable: 1.513
Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web scr…
- CVE-2013-2034NONECVSS 0.0✓ Fixed in 1.5142014-05-14
vulnerable: 1.513
Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administra…
- CVE-2013-5573NONECVSS 0.02013-12-31
vulnerable: 1.396 ... 1.523 (152 versions)
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
- CVE-2013-7330NONECVSS 0.0✓ Fixed in 1.480.32014-10-17
vulnerable: 1.396 ... 1.480.2 (99 versions)
Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.
- CVE-2014-2058NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of …
- CVE-2014-2059NONECVSS 0.0✓ Fixed in 1.532.22014-03-01
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.
- CVE-2014-2060NONECVSS 0.0✓ Fixed in 1.5512014-10-17
vulnerable: 1.533 ... 1.550 (18 versions)
The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.
- CVE-2014-2061NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.
- CVE-2014-2062NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.
- CVE-2014-2063NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
- CVE-2014-2064NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.
- CVE-2014-2065NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.
- CVE-2014-2066NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.
- CVE-2014-2067NONECVSS 0.0✓ Fixed in 1.532.22014-03-01
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."
- CVE-2014-2068NONECVSS 0.0✓ Fixed in 1.532.22014-10-17
vulnerable: 1.396 ... 1.532.1.JENKINS-19453 (163 versions)
The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to h…
- CVE-2014-3661NONECVSS 0.0✓ Fixed in 1.565.32014-10-16
vulnerable: 1.396 ... 1.565.2 (210 versions)
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.
- CVE-2014-3662NONECVSS 0.0✓ Fixed in 1.565.32014-10-16
vulnerable: 1.396 ... 1.565.2 (210 versions)
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.
- CVE-2014-3663NONECVSS 0.0✓ Fixed in 1.565.32014-10-16
vulnerable: 1.396 ... 1.565.2 (210 versions)
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.
- CVE-2014-3664NONECVSS 0.0✓ Fixed in 1.565.32014-10-15
vulnerable: 1.396 ... 1.565.2 (210 versions)
Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.
- CVE-2014-3665NONECVSS 0.0EG 0.0✓ Fixed in 1.5872015-11-25
vulnerable: 1.396 ... 1.586 (235 versions)
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.
- CVE-2014-3666NONECVSS 0.0✓ Fixed in 1.565.32014-10-16
vulnerable: 1.396 ... 1.565.2 (210 versions)
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.
- CVE-2014-3667NONECVSS 0.0✓ Fixed in 1.565.32014-10-16
vulnerable: 1.396 ... 1.565.2 (210 versions)
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.
- CVE-2014-3680NONECVSS 0.0✓ Fixed in 1.565.32014-10-16
vulnerable: 1.396 ... 1.565.2 (210 versions)
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.
- CVE-2014-3681NONECVSS 0.0✓ Fixed in 1.565.32014-10-15
vulnerable: 1.396 ... 1.565.2 (210 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2014-9634MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.5862017-09-12
vulnerable: 1.396 ... 1.585 (234 versions)
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
- CVE-2014-9635MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.5862017-09-12
vulnerable: 1.396 ... 1.585 (234 versions)
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to …
- CVE-2015-1806NONECVSS 0.0EG 0.0✓ Fixed in 1.596.12015-10-16
vulnerable: 1.396 ... 1.596 (245 versions)
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.
- CVE-2015-1808NONECVSS 0.0EG 0.0✓ Fixed in 1.596.12015-10-16
vulnerable: 1.396 ... 1.596 (245 versions)
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.
- CVE-2015-1809HIGHCVSS 7.5EG 7.5✓ Fixed in 1.596.12020-01-15
vulnerable: 1.396 ... 1.596 (245 versions)
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.
- CVE-2015-1810NONECVSS 0.0EG 0.0✓ Fixed in 1.596.12015-10-16
vulnerable: 1.396 ... 1.596 (245 versions)
The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creatin…
- CVE-2015-1811HIGHCVSS 7.5EG 7.5✓ Fixed in 1.596.12020-01-15
vulnerable: 1.396 ... 1.596 (245 versions)
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.
- CVE-2015-1812NONECVSS 0.0EG 0.0✓ Fixed in 1.6062015-10-16
vulnerable: 1.600, 1.601, 1.602, 1.604, 1.605
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.
- CVE-2015-1813NONECVSS 0.0EG 0.0✓ Fixed in 1.596.22015-10-16
vulnerable: 1.396 ... 1.596.1 (246 versions)
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.
- CVE-2015-1814NONECVSS 0.0EG 0.0✓ Fixed in 1.596.22015-10-16
vulnerable: 1.396 ... 1.596.1 (246 versions)
The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.
- CVE-2015-5317HIGHCVSS 7.5EG 9.0⚠ KEV✓ Fixed in 1.6382015-11-25
vulnerable: 1.626 ... 1.637 (12 versions)
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
Check whether org.jenkins-ci.main:jenkins-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.jenkins-ci.main:jenkins-core CVEs against the assets you own.
Start Free Scan →