Jenkins ↗
Jenkins · Infrastructure
50/100 Attention
Summary iPlain-English security verdict for Jenkins, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Jenkins currently scores 50/100 — needs attention. 5 of its known vulnerabilities are being actively exploited in the wild (CISA KEV), including CVE-2018-1000861. Patch the open issues below when you can. Note: this product is assessed at the product level on recent (365-day) activity rather than an exact per-version match, so it is never marked a confident "healthy".
Disclosure trend iNew CVEs published for Jenkins each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
'19
'20
'21
'22
'23
'24
'25
'26
⚠ 1 of its known vulnerability is linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2018-1000861 CRITICAL ● exploited Insecure deserialization EPSS 94% → see advisory CVE-2017-1000353 CRITICAL ● exploited Insecure deserialization EPSS 94% → see advisory CVE-2024-23897 CRITICAL ● exploited ⚠ ransomware Path traversal EPSS 94% → fixed in 2.442 CVE-2023-44487 HIGH ● exploited Uncontrolled resource consumption EPSS 94% → see advisory CVE-2015-5317 HIGH ● exploited Information disclosure EPSS 40% → see advisory CVE-2018-1999002 HIGH EPSS 94% → see advisory CVE-2016-0792 HIGH Improper input validation EPSS 91% → see advisory CVE-2016-9299 CRITICAL CWE-90 EPSS 89% → see advisory CVE-2015-8103 CRITICAL Insecure deserialization EPSS 86% → fixed in 1.638 CVE-2019-10405 MEDIUM Cross-site scripting (XSS) EPSS 82% → see advisory CVE-2024-43044 HIGH CWE-754 EPSS 66% → fixed in 2.471 CVE-2023-43494 MEDIUM EPSS 49% → fixed in 2.424ℹ product-level posture (last 365d); exact per-version verdict pending precise version mapping