Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41250 | 1 Jenkins | 1 Scm Httpclient | 2023-11-01 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-43417 | 1 Jenkins | 1 Katalon | 2023-11-01 | N/A | 4.3 MEDIUM |
| Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-43413 | 1 Jenkins | 1 Job Import | 2023-11-01 | N/A | 4.3 MEDIUM |
| Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-41228 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2023-11-01 | N/A | 8.8 HIGH |
| A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials. | |||||
| CVE-2022-41234 | 1 Jenkins | 1 Rundeck | 2023-11-01 | N/A | 8.8 HIGH |
| Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck. | |||||
| CVE-2022-41233 | 1 Jenkins | 1 Rundeck | 2023-11-01 | N/A | 4.3 MEDIUM |
| Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled. | |||||
| CVE-2022-41230 | 1 Jenkins | 1 Build-publisher | 2023-11-01 | N/A | 4.3 MEDIUM |
| Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. | |||||
| CVE-2022-41238 | 1 Jenkins | 1 Dotci | 2023-11-01 | N/A | 9.8 CRITICAL |
| A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits. | |||||
| CVE-2022-41242 | 1 Jenkins | 1 Extreme-feedback | 2023-11-01 | N/A | 5.4 MEDIUM |
| A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. | |||||
| CVE-2022-45389 | 1 Jenkins | 1 Xp-dev | 2023-11-01 | N/A | 5.3 MEDIUM |
| A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. | |||||
| CVE-2022-45394 | 1 Jenkins | 1 Delete Log | 2023-11-01 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. | |||||
| CVE-2022-45390 | 1 Jenkins | 1 Loader.io | 2023-11-01 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-45399 | 1 Jenkins | 1 Cluster Statistics | 2023-11-01 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. | |||||
| CVE-2023-46652 | 1 Jenkins | 1 Lambdatest-automation | 2023-11-01 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. | |||||
| CVE-2023-37910 | 1 Xwiki | 1 Xwiki | 2023-10-31 | N/A | 8.1 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document (can be the user profile which is editable by default) can move any attachment of any other document to this attacker-controlled document. This allows the attacker to access and possibly publish any attachment of which the name is known, regardless if the attacker has view or edit rights on the source document of this attachment. Further, the attachment is deleted from the source document. This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1. There is no workaround apart from upgrading to a fixed version. | |||||
| CVE-2021-21637 | 1 Jenkins | 1 Team Foundation Server | 2023-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21636 | 1 Jenkins | 1 Team Foundation Server | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2021-21632 | 1 Jenkins | 1 Owasp Dependency-track | 2023-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21631 | 1 Jenkins | 1 Cloud Statistics | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages. | |||||
| CVE-2021-21626 | 1 Jenkins | 1 Warnings Next Generation | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. | |||||