Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50772 | 1 Jenkins | 1 Dingding Json Pusher | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-50773 | 1 Jenkins | 1 Dingding Json Pusher | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2023-50774 | 1 Jenkins | 1 Html Resource | 2023-12-18 | N/A | 8.1 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-49653 | 1 Jenkins | 1 Jira | 2023-12-05 | N/A | 6.5 MEDIUM |
| Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | |||||
| CVE-2023-49652 | 1 Jenkins | 1 Google Compute Engine | 2023-12-05 | N/A | 2.7 LOW |
| Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1. | |||||
| CVE-2023-49674 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2023-12-05 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. | |||||
| CVE-2023-49673 | 1 Jenkins | 4 Google Compute Engine, Jira, Matlab and 1 more | 2023-12-05 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | |||||
| CVE-2023-49656 | 1 Jenkins | 1 Matlab | 2023-12-05 | N/A | 9.8 CRITICAL |
| Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-49655 | 1 Jenkins | 1 Matlab | 2023-12-05 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system. | |||||
| CVE-2023-49654 | 1 Jenkins | 1 Matlab | 2023-12-05 | N/A | 9.8 CRITICAL |
| Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system. | |||||
| CVE-2021-21641 | 1 Jenkins | 1 Promoted Builds | 2023-11-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds. | |||||
| CVE-2021-21644 | 1 Jenkins | 1 Config File Provider | 2023-11-30 | 5.8 MEDIUM | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID. | |||||
| CVE-2021-21652 | 1 Jenkins | 1 Xray - Test Management For Jira | 2023-11-30 | 5.8 MEDIUM | 7.1 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21633 | 1 Jenkins | 1 Owasp Dependency-track | 2023-11-30 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21638 | 1 Jenkins | 1 Team Foundation Server | 2023-11-30 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-23117 | 1 Jenkins | 1 Conjur Secrets | 2023-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller. | |||||
| CVE-2022-25190 | 1 Jenkins | 1 Conjur Secrets | 2023-11-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-23118 | 1 Jenkins | 1 Debian Package Builder | 2023-11-30 | 9.0 HIGH | 8.8 HIGH |
| Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller. | |||||
| CVE-2022-0538 | 1 Jenkins | 1 Jenkins | 2023-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. | |||||
| CVE-2022-25173 | 1 Jenkins | 1 Pipeline\ | 2023-11-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. | |||||