Jenkins CVE Numbers Authority

The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project (listed on plugins.jenkins.io and/or hosted in the jenkinsci GitHub organization). This means that the Jenkins project assigns CVE IDs for vulnerabilities in these components.

CNA scope and coordination

Determining whether there is another CNA for a specific component can be challenging, especially if the companies have changed names, been acquired, or do not share a common name with the component itself. This means that the search is manual and a best effort approach.

If a CNA wishes to identify themselves for a particular component, they can use the contact information below. The same applies in response to an advisory, if a CNA was not found in our search, they can contact us to be included in our list for future reference.

Contact

Contact us at jenkinsci-cert@googlegroups.com if you have any questions about the Jenkins CNA.

Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries. If we consider it necessary to provide a statement in response to incidents such as log4shell or SpringShell, you will find a response in our blog.

CVE Assignment Process

CVEs for privately reported and tracked security vulnerabilities are assigned shortly (several hours to a few days) before publication in a security advisory.