Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1608 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-30523 1 Jenkins 1 Report Portal 2024-02-28 N/A 4.3 MEDIUM
Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2023-28685 1 Jenkins 1 Absint A3 2024-02-28 N/A 7.1 HIGH
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28670 1 Jenkins 1 Pipeline Aggregator View 2024-02-28 N/A 5.4 MEDIUM
Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.
CVE-2023-2196 1 Jenkins 1 Code Dx 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.
CVE-2023-32996 1 Jenkins 1 Saml Single Sign-on 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.
CVE-2023-3315 1 Jenkins 1 Team Concert 2024-02-28 N/A 4.3 MEDIUM
Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
CVE-2023-32983 1 Jenkins 1 Ansible 2024-02-28 N/A 5.3 MEDIUM
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.
CVE-2023-28673 1 Jenkins 1 Octoperf Load Testing 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-28675 1 Jenkins 1 Octoperf Load Testing 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
CVE-2023-28684 1 Jenkins 1 Remote-jobs-view 2024-02-28 N/A 6.5 MEDIUM
Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-33005 1 Jenkins 1 Wso2 Oauth 2024-02-28 N/A 5.4 MEDIUM
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.
CVE-2023-30529 1 Jenkins 1 Lucene-search 2024-02-28 N/A 4.3 MEDIUM
Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database.
CVE-2023-33002 1 Jenkins 1 Testcomplete Support 2024-02-28 N/A 5.4 MEDIUM
Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2023-33006 1 Jenkins 1 Wso2 Oauth 2024-02-28 N/A 5.4 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account.
CVE-2023-32988 1 Jenkins 1 Azure Vm Agents 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-28680 1 Jenkins 1 Crap4j 2024-02-28 N/A 7.5 HIGH
Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-30528 1 Jenkins 1 Wso2 Oauth 2024-02-28 N/A 6.5 MEDIUM
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.
CVE-2023-27903 1 Jenkins 1 Jenkins 2024-02-28 N/A 4.4 MEDIUM
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.
CVE-2022-46683 1 Jenkins 1 Google Login 2024-02-28 N/A 6.1 MEDIUM
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
CVE-2023-24450 1 Jenkins 1 View-cloner 2024-02-28 N/A 6.5 MEDIUM
Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.