Filtered by vendor Jenkins
Subscribe
Search
Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25196 | 1 Jenkins | 1 Gitlab Authentication | 2022-02-23 | 4.9 MEDIUM | 5.4 MEDIUM |
| Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in. | |||||
| CVE-2022-25205 | 1 Jenkins | 1 Dbcharts | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers to connect to an attacker-specified database via JDBC using attacker-specified credentials and to determine if a class is available in the Jenkins instance. | |||||
| CVE-2022-25201 | 1 Jenkins | 1 Checkmarx | 2022-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-25200 | 1 Jenkins | 1 Checkmarx | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-25197 | 1 Jenkins | 1 Hashicorp Vault | 2022-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2022-25195 | 1 Jenkins | 1 Autonomiq | 2022-02-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-25194 | 1 Jenkins | 1 Autonomiq | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials. | |||||
| CVE-2021-21697 | 1 Jenkins | 1 Jenkins | 2021-11-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. | |||||
| CVE-2019-1003003 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2021-11-02 | 6.5 MEDIUM | 7.2 HIGH |
| An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts. | |||||
| CVE-2019-1003004 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2021-11-02 | 6.5 MEDIUM | 7.2 HIGH |
| An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time. | |||||
| CVE-2019-10399 | 1 Jenkins | 1 Script Security | 2021-11-02 | 4.9 MEDIUM | 4.2 MEDIUM |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10400 | 1 Jenkins | 1 Script Security | 2021-11-02 | 4.9 MEDIUM | 4.2 MEDIUM |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10394 | 1 Jenkins | 1 Script Security | 2021-11-02 | 4.9 MEDIUM | 4.2 MEDIUM |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10393 | 1 Jenkins | 1 Script Security | 2021-11-02 | 4.9 MEDIUM | 4.2 MEDIUM |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10390 | 1 Jenkins | 1 Splunk | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | |||||
| CVE-2019-10458 | 1 Jenkins | 1 Puppet Enterprise Pipeline | 2021-10-29 | 6.5 MEDIUM | 9.9 CRITICAL |
| Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code. | |||||
| CVE-2019-10358 | 1 Jenkins | 1 Maven | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. | |||||
| CVE-2019-10362 | 1 Jenkins | 1 Configuration As Code | 2021-10-28 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | |||||
| CVE-2019-10397 | 1 Jenkins | 1 Aqua Security Severless Scanner | 2021-10-28 | 2.6 LOW | 3.1 LOW |
| Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. | |||||
| CVE-2020-2228 | 1 Jenkins | 1 Gitlab Authentication | 2021-10-19 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability. | |||||
| CVE-2019-16562 | 1 Jenkins | 1 Buildgraph-view | 2021-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions. | |||||
| CVE-2021-21674 | 1 Jenkins | 1 Requests | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | |||||
| CVE-2021-21673 | 1 Jenkins | 1 Cas | 2021-07-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | |||||
| CVE-2021-21670 | 1 Jenkins | 1 Jenkins | 2021-07-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | |||||
| CVE-2021-21671 | 1 Jenkins | 1 Jenkins | 2021-07-06 | 5.1 MEDIUM | 7.5 HIGH |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. | |||||
| CVE-2021-21669 | 1 Jenkins | 1 Generic Webhook Trigger | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21668 | 1 Jenkins | 1 Scriptler | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. | |||||
| CVE-2021-21667 | 1 Jenkins | 1 Scriptler | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. | |||||
| CVE-2021-21663 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2021-06-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | |||||
| CVE-2021-21662 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2021-06-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2021-21664 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2021-06-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | |||||
| CVE-2021-21666 | 1 Jenkins | 1 Kiuwan | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-21661 | 1 Jenkins | 1 Kubernetes | 2021-06-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2021-21657 | 1 Jenkins | 1 Filesystem Trigger | 2021-06-01 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21658 | 1 Jenkins | 1 Nuget | 2021-06-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21660 | 1 Jenkins | 1 Markdown Formatter | 2021-06-01 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter. | |||||
| CVE-2021-21659 | 1 Jenkins | 1 Urltrigger | 2021-05-28 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21653 | 1 Jenkins | 1 Xray - Test Management For Jira | 2021-05-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2021-21656 | 1 Jenkins | 1 Xcode Integration | 2021-05-19 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21654 | 1 Jenkins | 1 P4 | 2021-05-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password. | |||||
| CVE-2021-21650 | 1 Jenkins | 1 S3 Publisher | 2021-05-19 | 3.5 LOW | 4.3 MEDIUM |
| Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled. | |||||
| CVE-2021-21651 | 1 Jenkins | 1 S3 Publisher | 2021-05-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles. | |||||
| CVE-2021-21649 | 1 Jenkins | 1 Dashboard View | 2021-05-14 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | |||||
| CVE-2021-21648 | 1 Jenkins | 1 Credentials | 2021-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-21645 | 1 Jenkins | 1 Config File Provider | 2021-04-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs. | |||||
| CVE-2021-21646 | 1 Jenkins | 1 Templating Engine | 2021-04-26 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. | |||||
| CVE-2021-21647 | 1 Jenkins | 1 Cloudbees Cd | 2021-04-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. | |||||
| CVE-2021-21643 | 1 Jenkins | 1 Config File Provider | 2021-04-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2021-21642 | 1 Jenkins | 1 Config File Provider | 2021-04-23 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21639 | 1 Jenkins | 1 Jenkins | 2021-04-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. | |||||