Total
233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43422 | 1 Jenkins | 2 Compuware Topaz Utilities, Jenkins | 2022-10-20 | N/A | 5.3 MEDIUM |
| Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | |||||
| CVE-2022-43416 | 1 Jenkins | 2 Jenkins, Katalon | 2022-10-20 | N/A | 8.8 HIGH |
| Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands. | |||||
| CVE-2022-43423 | 1 Jenkins | 2 Compuware Source Code Download For Endevor\, Pds\, And Ispw, Jenkins | 2022-10-20 | N/A | 5.3 MEDIUM |
| Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | |||||
| CVE-2022-34175 | 1 Jenkins | 1 Jenkins | 2022-10-20 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. | |||||
| CVE-2017-2601 | 1 Jenkins | 1 Jenkins | 2022-10-19 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. | |||||
| CVE-2020-2230 | 1 Jenkins | 1 Jenkins | 2022-10-05 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. | |||||
| CVE-2020-2229 | 1 Jenkins | 1 Jenkins | 2022-10-05 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-41224 | 1 Jenkins | 1 Jenkins | 2022-09-22 | N/A | 5.4 MEDIUM |
| Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component. | |||||
| CVE-2022-36899 | 1 Jenkins | 2 Compuware Ispw Operations, Jenkins | 2022-08-03 | N/A | 8.2 HIGH |
| Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties. | |||||
| CVE-2022-36900 | 1 Jenkins | 2 Compuware Zadviser Api, Jenkins | 2022-08-03 | N/A | 8.2 HIGH |
| Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties. | |||||
| CVE-2021-28165 | 4 Eclipse, Jenkins, Netapp and 1 more | 21 Jetty, Jenkins, Cloud Manager and 18 more | 2022-07-29 | 7.8 HIGH | 7.5 HIGH |
| In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | |||||
| CVE-2022-20612 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-07-29 | 2.6 LOW | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. | |||||
| CVE-2022-34174 | 1 Jenkins | 1 Jenkins | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | |||||
| CVE-2018-6356 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. | |||||
| CVE-2018-1000067 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. | |||||
| CVE-2017-1000353 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. | |||||
| CVE-2018-1000068 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. | |||||
| CVE-2018-1000193 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. | |||||
| CVE-2018-1999001 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.3 MEDIUM | 8.8 HIGH |
| A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. | |||||
| CVE-2018-1000192 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. | |||||