Jenkins Security

The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.

Learn more about Securing Jenkins in the Jenkins User Handbook.

Security Advisories

Security advisories are the primary way to publicly inform Jenkins users about security issues in Jenkins and Jenkins plugins. You can find all past security advisories in our security advisories archive.

We announce the publication of a new security advisory through multiple channels:

We send an email notification to the public jenkinsci-advisories Google group with a short overview of affected components and a link to the security advisory. Only Jenkins security team members can post. You can subscribe and unsubscribe via email.
We send an email notification to the oss-security mailing list with excerpts of the security advisory.
We publish an RSS feed for the jenkins.io/security/advisories/ page.

Additionally, Jenkins administrators are informed about published security issues directly in Jenkins if they have affected versions of Jenkins or plugins installed.

Finally, the Jenkins project is a CVE Numbers Authority, and we submit CVE metadata simultaneously with the publication of security advisories, allowing automated security tools using CVE information to identify vulnerable installations.

Even if you run Jenkins on a private network and trust everyone in your team, security issues in Jenkins can still impact you:

CSRF vulnerabilities are a risk even if attackers have no direct access to Jenkins.
Does Jenkins build source code you haven’t audited, using build scripts someone else wrote, displaying generated reports on its web UI? All of these are potential security concerns.

How to Report a Security Vulnerability

If you find a vulnerability in Jenkins, please report it in the issue tracker under the SECURITY project.

We provide issue reporting guidelines and an overview of our process on Reporting Security Vulnerabilities.

Learn More

How We Handle Vulnerabilities in Plugins: We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner. However the number and diversity of plugins and maintainers' autonomy make this impossible to guarantee.
How We Schedule Security Advisories: Information about how we schedule security advisories and security updates.
How We Fix Security Issues: Guidelines for developing security fixes in the Jenkins project.
Information for Plugin Maintainers: The Jenkins security team contacted me about a security vulnerability. Now what?
Information for Administrators: This page explains everything Jenkins users and administrators need to know about the Jenkins security process.
Jenkins CVE Numbers Authority: The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project.
About the Jenkins Security Team: The Jenkins Security Team is a group of volunteers led by the Jenkins Security Officer who triage and fix security vulnerabilities.
Improvements by the Security Team: These are some contributions by members of the Jenkins security team that weren’t delivered as security fixes, but still are security-related.