Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45386 | 1 Jenkins | 1 Violations | 2023-11-01 | N/A | 5.5 MEDIUM |
| Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-46659 | 1 Jenkins | 1 Edgewall Trac | 2023-11-01 | N/A | 5.4 MEDIUM |
| Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-46660 | 1 Jenkins | 1 Zanata | 2023-11-01 | N/A | 5.3 MEDIUM |
| Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
| CVE-2023-46650 | 1 Jenkins | 1 Github | 2023-11-01 | N/A | 5.4 MEDIUM |
| Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-46651 | 1 Jenkins | 1 Warnings | 2023-11-01 | N/A | 6.5 MEDIUM |
| Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1. | |||||
| CVE-2023-46652 | 1 Jenkins | 1 Lambdatest-automation | 2023-11-01 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. | |||||
| CVE-2023-46653 | 1 Jenkins | 1 Lambdatest-automation | 2023-11-01 | N/A | 6.5 MEDIUM |
| Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure. | |||||
| CVE-2023-46654 | 1 Jenkins | 1 Cloudbees Cd | 2023-11-01 | N/A | 8.1 HIGH |
| Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-46655 | 1 Jenkins | 1 Cloudbees Cd | 2023-11-01 | N/A | 6.5 MEDIUM |
| Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server. | |||||
| CVE-2023-46656 | 1 Jenkins | 1 Multibranch Scan Webhook Trigger | 2023-11-01 | N/A | 5.3 MEDIUM |
| Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
| CVE-2023-46657 | 1 Jenkins | 1 Gogs | 2023-11-01 | N/A | 5.3 MEDIUM |
| Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
| CVE-2023-46658 | 1 Jenkins | 1 Msteams Webhook Trigger | 2023-11-01 | N/A | 5.3 MEDIUM |
| Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
| CVE-2021-21674 | 1 Jenkins | 1 Requests | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | |||||
| CVE-2021-21673 | 1 Jenkins | 1 Cas | 2023-10-25 | 5.8 MEDIUM | 6.1 MEDIUM |
| Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | |||||
| CVE-2021-21672 | 1 Jenkins | 1 Selenium Html Report | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21671 | 1 Jenkins | 1 Jenkins | 2023-10-25 | 5.1 MEDIUM | 7.5 HIGH |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. | |||||
| CVE-2021-21670 | 1 Jenkins | 1 Jenkins | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | |||||
| CVE-2021-21669 | 1 Jenkins | 1 Generic Webhook Trigger | 2023-10-25 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21664 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2023-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | |||||
| CVE-2021-21663 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | |||||