Filtered by vendor Jenkins
Subscribe
Search
Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34172 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-34170 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2022-34171 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-34173 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2022-34208 | 1 Jenkins | 1 Beaker Builder | 2022-06-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-34206 | 1 Jenkins | 1 Jianliao Notification | 2022-06-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. | |||||
| CVE-2022-34204 | 1 Jenkins | 1 Easyqa | 2022-06-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-34213 | 1 Jenkins | 1 Squash Tm Publisher | 2022-06-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34207 | 1 Jenkins | 1 Beaker Builder | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-34209 | 1 Jenkins | 1 Threadfix | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-34211 | 1 Jenkins | 1 Vrealize Orchestrator | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers to send an HTTP POST request to an attacker-specified URL. | |||||
| CVE-2022-34210 | 1 Jenkins | 1 Threadfix | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-34212 | 1 Jenkins | 1 Vrealize Orchestrator | 2022-06-29 | 3.5 LOW | 5.7 MEDIUM |
| A missing permission check in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. | |||||
| CVE-2022-34205 | 1 Jenkins | 1 Jianliao Notification | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers to send HTTP POST requests to an attacker-specified URL. | |||||
| CVE-2022-34203 | 1 Jenkins | 1 Easyqa | 2022-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-34202 | 1 Jenkins | 1 Easyqa | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34201 | 1 Jenkins | 1 Convertigo Mobile Platform | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-34200 | 1 Jenkins | 1 Convertigo Mobile Platform | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-34199 | 1 Jenkins | 1 Convertigo Mobile Platform | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-34194 | 1 Jenkins | 1 Readonly Parameter | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Readonly Parameter Plugin 1.0.0 and earlier does not escape the name and description of Readonly String and Readonly Text parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34193 | 1 Jenkins | 1 Package Version | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Package Version Plugin 1.0.1 and earlier does not escape the name of Package version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34192 | 1 Jenkins | 1 Ontrack | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ontrack Jenkins Plugin 4.0.0 and earlier does not escape the name of Ontrack: Multi Parameter choice, Ontrack: Parameter choice, and Ontrack: SingleParameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34191 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier does not escape the name of NetStorm Test parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34190 | 1 Jenkins | 1 Maven Metadata | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.1 and earlier does not escape the name and description of List maven artifact versions parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34177 | 1 Jenkins | 1 Pipeline\ | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. | |||||
| CVE-2022-34176 | 1 Jenkins | 1 Junit | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. | |||||
| CVE-2022-34183 | 1 Jenkins | 1 Agent Server Parameter | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34181 | 1 Jenkins | 1 Xunit | 2022-06-29 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory. | |||||
| CVE-2022-34182 | 1 Jenkins | 1 Nested View | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-34180 | 1 Jenkins | 1 Embeddable Build Status | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. | |||||
| CVE-2022-34179 | 1 Jenkins | 1 Embeddable Build Status | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system. | |||||
| CVE-2022-34178 | 1 Jenkins | 1 Embeddable Build Status | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-34175 | 1 Jenkins | 1 Jenkins | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. | |||||
| CVE-2022-34174 | 1 Jenkins | 1 Jenkins | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | |||||
| CVE-2018-6356 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. | |||||
| CVE-2017-1000353 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. | |||||
| CVE-2018-1000068 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. | |||||
| CVE-2018-1000067 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. | |||||
| CVE-2018-1000192 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. | |||||
| CVE-2018-1000193 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. | |||||
| CVE-2018-1000195 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. | |||||
| CVE-2018-1000194 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.5 MEDIUM | 8.1 HIGH |
| A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. | |||||
| CVE-2018-1999001 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.3 MEDIUM | 8.8 HIGH |
| A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. | |||||
| CVE-2018-1999003 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. | |||||
| CVE-2018-1999002 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.0 MEDIUM | 7.5 HIGH |
| A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. | |||||
| CVE-2018-1999007 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. | |||||
| CVE-2018-1999005 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-1999004 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. | |||||
| CVE-2019-1003005 | 1 Jenkins | 1 Script Security | 2022-06-13 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | |||||
| CVE-2018-1000861 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2022-06-13 | 10.0 HIGH | 9.8 CRITICAL |
| A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | |||||