Filtered by vendor Jenkins
Subscribe
Search
Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34781 | 1 Jenkins | 1 Xebialabs Xl Release | 2024-01-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2020-2268 | 1 Jenkins | 1 Mongodb | 2024-01-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. | |||||
| CVE-2022-30957 | 1 Jenkins | 1 Ssh | 2024-01-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-30947 | 1 Jenkins | 1 Git | 2024-01-09 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | |||||
| CVE-2022-28133 | 1 Jenkins | 1 Bitbucket Server Integration | 2024-01-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. | |||||
| CVE-2022-34795 | 1 Jenkins | 1 Deployment Dashboard | 2024-01-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | |||||
| CVE-2015-8103 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | |||||
| CVE-2023-40338 | 1 Jenkins | 1 Folders | 2024-01-02 | N/A | 4.3 MEDIUM |
| Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system. | |||||
| CVE-2021-21675 | 1 Jenkins | 1 Requests | 2023-12-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests. | |||||
| CVE-2021-21655 | 1 Jenkins | 1 P4 | 2023-12-27 | 5.8 MEDIUM | 7.1 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password. | |||||
| CVE-2022-34790 | 1 Jenkins | 1 Extreme Feedback Panel | 2023-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-27209 | 1 Jenkins | 1 Kubernetes Continuous Deploy | 2023-12-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-27216 | 1 Jenkins | 1 Dbcharts | 2023-12-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-27213 | 1 Jenkins | 1 Environment Dashboard | 2023-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | |||||
| CVE-2022-27215 | 1 Jenkins | 1 Release Helper | 2023-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-29052 | 1 Jenkins | 1 Google Compute Engine | 2023-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-27214 | 1 Jenkins | 1 Release Helper | 2023-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-28137 | 1 Jenkins | 1 Jiratestresultreporter | 2023-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-29051 | 1 Jenkins | 1 Publish Over Ftp | 2023-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. | |||||
| CVE-2022-29050 | 1 Jenkins | 1 Publish Over Ftp | 2023-12-22 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials. | |||||
| CVE-2022-28134 | 1 Jenkins | 1 Bitbucket Server Integration | 2023-12-22 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. | |||||
| CVE-2022-30946 | 1 Jenkins | 1 Script Security | 2023-12-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver. | |||||
| CVE-2022-27217 | 1 Jenkins | 1 Vmware Vrealize Codestream | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-25183 | 1 Jenkins | 1 Pipeline\ | 2023-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists. | |||||
| CVE-2022-30945 | 1 Jenkins | 1 Pipeline\ | 2023-12-21 | 6.8 MEDIUM | 8.5 HIGH |
| Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. | |||||
| CVE-2022-29044 | 1 Jenkins | 1 Node And Label Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-27212 | 1 Jenkins | 1 List Git Branches Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29045 | 1 Jenkins | 1 Promoted Builds | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29049 | 1 Jenkins | 1 Promoted Builds | 2023-12-21 | 4.0 MEDIUM | 5.4 MEDIUM |
| Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name. | |||||
| CVE-2022-30949 | 1 Jenkins | 1 Repo | 2023-12-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | |||||
| CVE-2022-29047 | 1 Jenkins | 1 Pipeline\ | 2023-12-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them. | |||||
| CVE-2022-27218 | 1 Jenkins | 1 Incapptic Connect Uploader | 2023-12-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-27208 | 1 Jenkins | 1 Kubernetes Continuous Deploy | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller. | |||||
| CVE-2022-28135 | 1 Jenkins | 1 Instant-messaging | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34197 | 1 Jenkins | 1 Sauce Ondemand | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Sauce OnDemand Plugin 1.204 and earlier does not escape the name and description of Sauce Labs Browsers parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34778 | 1 Jenkins | 1 Testng Results | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results. | |||||
| CVE-2022-34198 | 1 Jenkins | 1 Stash Branch Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier does not escape the name and description of Stash Branch parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34196 | 1 Jenkins | 1 Rest List Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins REST List Parameter Plugin 1.5.2 and earlier does not escape the name and description of REST list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34777 | 1 Jenkins | 1 Gitlab | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34195 | 1 Jenkins | 1 Repository Connector | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Repository Connector Plugin 2.2.0 and earlier does not escape the name and description of Maven Repository Artifact parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34786 | 1 Jenkins | 1 Rich Text Publisher | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | |||||
| CVE-2022-34783 | 1 Jenkins | 1 Plot | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34788 | 1 Jenkins | 1 Matrix Reloaded | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | |||||
| CVE-2022-34784 | 1 Jenkins | 1 Build-metrics | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission. | |||||
| CVE-2022-34791 | 1 Jenkins | 1 Validating Email Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34787 | 1 Jenkins | 1 Project Inheritance | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked. | |||||
| CVE-2021-21665 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2023-12-21 | 6.0 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | |||||
| CVE-2022-29048 | 2 Apple, Jenkins | 2 Macos, Subversion | 2023-12-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2020-2241 | 1 Jenkins | 1 Database | 2023-12-21 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials. | |||||
| CVE-2022-28136 | 1 Jenkins | 1 Jiratestresultreporter | 2023-12-21 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||