Filtered by vendor Jenkins
Subscribe
Total
1608 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2024-02-28 | N/A | 9.8 CRITICAL |
| Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24454 | 1 Jenkins | 1 Testquality Updater | 2024-02-28 | N/A | 5.5 MEDIUM |
| Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2024-02-28 | N/A | 5.4 MEDIUM |
| Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2023-25764 | 1 Jenkins | 1 Email Extension | 2024-02-28 | N/A | 5.4 MEDIUM |
| Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates. | |||||
| CVE-2023-24445 | 1 Jenkins | 1 Openid | 2024-02-28 | N/A | 6.1 MEDIUM |
| Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | |||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2024-02-28 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-27899 | 1 Jenkins | 1 Jenkins | 2024-02-28 | N/A | 7.0 HIGH |
| Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. | |||||
| CVE-2023-24442 | 1 Jenkins | 1 Github Pull Request Coverage Status | 2024-02-28 | N/A | 5.5 MEDIUM |
| Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2023-23847 | 1 Jenkins | 1 Synopsys Coverity | 2024-02-28 | N/A | 3.5 LOW |
| A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-24423 | 1 Jenkins | 1 Gerrit Trigger | 2024-02-28 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit. | |||||
| CVE-2023-24444 | 1 Jenkins | 1 Openid | 2024-02-28 | N/A | 9.8 CRITICAL |
| Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24459 | 1 Jenkins | 1 Bearychat | 2024-02-28 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2023-27898 | 1 Jenkins | 1 Jenkins | 2024-02-28 | N/A | 9.6 CRITICAL |
| Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances. | |||||
| CVE-2023-24435 | 1 Jenkins | 1 Github Pull Request Builder | 2024-02-28 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-24457 | 1 Jenkins | 1 Keycloak Authentication | 2024-02-28 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
| CVE-2023-27905 | 1 Jenkins | 1 Update-center2 | 2024-02-28 | N/A | 9.6 CRITICAL |
| Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting. | |||||
| CVE-2023-24455 | 1 Jenkins | 1 Visual Expert | 2024-02-28 | N/A | 4.3 MEDIUM |
| Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | |||||
| CVE-2023-24425 | 1 Jenkins | 1 Kubernetes Credentials Provider | 2024-02-28 | N/A | 6.5 MEDIUM |
| Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to. | |||||
| CVE-2023-24452 | 1 Jenkins | 1 Testquality Updater | 2024-02-28 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password. | |||||
| CVE-2023-24431 | 1 Jenkins | 1 Orka By Macstadium | 2024-02-28 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||