Jenkins CVE Numbers Authority

This site is the new docs site currently being tested. For the actual docs in use please go to https://www.jenkins.io/doc.

The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project (listed on plugins.jenkins.io and/or hosted in the jenkinsci GitHub organization). This means that the Jenkins project assigns CVE IDs for vulnerabilities in these components.

Contact

Contact us at jenkinsci-cert@googlegroups.com if you have any questions about the Jenkins CNA.

Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries. If we consider it necessary to provide a statement in response to incidents such as log4shell or SpringShell, you will find a response in our blog.

CVE Assignment Process

CVEs for privately reported and tracked security vulnerabilities are assigned shortly (several hours to a few days) before publication in a security advisory.