Filtered by vendor Jenkins
Subscriptions
Total
1633 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-35141 | 1 Jenkins | 1 Jenkins | 2025-01-02 | 8 High |
| In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu. | ||||
| CVE-2023-35145 | 1 Jenkins | 1 Sonargraph Integration | 2025-01-02 | 5.4 Medium |
| Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2023-35146 | 1 Jenkins | 1 Template Workflows | 2024-12-31 | 5.4 Medium |
| Jenkins Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs. | ||||
| CVE-2023-35148 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-31 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | ||||
| CVE-2023-35147 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-12-31 | 6.5 Medium |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system. | ||||
| CVE-2023-35149 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-30 | 6.5 Medium |
| A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | ||||
| CVE-2024-23897 | 2 Jenkins, Redhat | 2 Jenkins, Ocp Tools | 2024-12-20 | 9.8 Critical |
| Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2023-3315 | 1 Jenkins | 1 Team Concert | 2024-12-11 | 4.3 Medium |
| Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | ||||
| CVE-2024-52550 | 2 Jenkins, Redhat | 2 Groovy, Ocp Tools | 2024-11-26 | 8 High |
| Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. | ||||
| CVE-2024-23898 | 2 Jenkins, Redhat | 2 Jenkins, Ocp Tools | 2024-11-21 | 8.8 High |
| Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller. | ||||
| CVE-2023-4303 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.3 Medium |
| Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability. | ||||
| CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.2 Medium |
| A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.2 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-49652 | 1 Jenkins | 1 Google Compute Engine | 2024-11-21 | 2.7 Low |
| Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1. | ||||
| CVE-2023-46651 | 1 Jenkins | 1 Warnings | 2024-11-21 | 6.5 Medium |
| Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1. | ||||
| CVE-2023-43502 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes. | ||||
| CVE-2023-43501 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 6.5 Medium |
| A missing permission check in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. | ||||
| CVE-2023-43500 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | ||||
| CVE-2023-43499 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 5.4 Medium |
| Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes. | ||||
| CVE-2023-43498 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 8.1 High |
| In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | ||||