Filtered by vendor Jenkins
Subscribe
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27195 | 1 Jenkins | 1 Parameterized Trigger | 2023-01-30 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2021-21652 | 1 Jenkins | 1 Xray - Test Management For Jira | 2023-01-30 | 5.8 MEDIUM | 7.1 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10340 | 1 Jenkins | 1 Docker | 2023-01-30 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10349 | 1 Jenkins | 1 Dependency Graph Viewer | 2023-01-30 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |||||
| CVE-2019-10346 | 1 Jenkins | 1 Embeddable Build Status | 2023-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin. | |||||
| CVE-2019-10475 | 1 Jenkins | 1 Build-metrics | 2023-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. | |||||
| CVE-2019-10435 | 1 Jenkins | 1 Sourcegear Vault | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. | |||||
| CVE-2019-10434 | 1 Jenkins | 1 Ldap Email | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-10401 | 1 Jenkins | 1 Jenkins | 2023-01-27 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | |||||
| CVE-2022-46688 | 1 Jenkins | 1 Sonar Gerrit | 2022-12-14 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | |||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2022-12-12 | N/A | 9.8 CRITICAL |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-46683 | 1 Jenkins | 1 Google Login | 2022-12-12 | N/A | 6.1 MEDIUM |
| Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | |||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2022-12-12 | N/A | 5.4 MEDIUM |
| Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-46686 | 1 Jenkins | 1 Custom Build Properties | 2022-12-12 | N/A | 5.4 MEDIUM |
| Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. | |||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2022-12-12 | N/A | 5.4 MEDIUM |
| Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. | |||||
| CVE-2021-21693 | 1 Jenkins | 1 Jenkins | 2022-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | |||||
| CVE-2017-2599 | 1 Jenkins | 1 Jenkins | 2022-11-30 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). | |||||
| CVE-2022-45381 | 1 Jenkins | 1 Pipeline Utility Steps | 2022-11-29 | N/A | 8.1 HIGH |
| Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. | |||||
| CVE-2022-27201 | 1 Jenkins | 2 Jenkins, Semantic Versioning | 2022-11-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
| CVE-2022-41235 | 1 Jenkins | 1 Wildfly Deployer | 2022-11-29 | N/A | 5.3 MEDIUM |
| Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. | |||||