Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1608 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-24440 1 Jenkins 1 Jira Pipeline Steps 2024-02-28 N/A 5.5 MEDIUM
Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVE-2023-24449 1 Jenkins 1 Pwauth Security Realm 2024-02-28 N/A 4.3 MEDIUM
Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
CVE-2023-24458 1 Jenkins 1 Bearychat 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified URL.
CVE-2023-24451 1 Jenkins 1 Cisco Spark 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Cisco Spark Notifier Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-27904 1 Jenkins 1 Jenkins 2024-02-28 N/A 5.3 MEDIUM
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.
CVE-2023-24441 1 Jenkins 1 Mstest 2024-02-28 N/A 9.8 CRITICAL
Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-27901 1 Jenkins 1 Jenkins 2024-02-28 N/A 7.5 HIGH
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
CVE-2023-24429 1 Jenkins 1 Semantic Versioning 2024-02-28 N/A 9.8 CRITICAL
Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
CVE-2023-24447 1 Jenkins 1 Rabbitmq Consumer 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.
CVE-2023-24437 1 Jenkins 1 Jira Pipeline Steps 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-23850 1 Jenkins 1 Synopsys Coverity 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-24446 1 Jenkins 1 Openid 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.
CVE-2023-25768 1 Jenkins 1 Azure Credentials 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
CVE-2023-24438 1 Jenkins 1 Jira Pipeline Steps 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-25761 1 Jenkins 1 Junit 2024-02-28 N/A 5.4 MEDIUM
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
CVE-2023-25765 1 Jenkins 1 Email Extension 2024-02-28 N/A 9.9 CRITICAL
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
CVE-2023-27900 1 Jenkins 1 Jenkins 2024-02-28 N/A 7.5 HIGH
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
CVE-2022-46688 1 Jenkins 1 Sonar Gerrit 2024-02-28 N/A 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
CVE-2022-46686 1 Jenkins 1 Custom Build Properties 2024-02-28 N/A 5.4 MEDIUM
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
CVE-2023-25762 1 Jenkins 1 Pipeline\ 2024-02-28 N/A 5.4 MEDIUM
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.