Filtered by vendor Jenkins
Subscribe
Total
1608 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36915 | 1 Jenkins | 1 Android Signing | 2024-02-28 | N/A | 4.3 MEDIUM |
| Jenkins Android Signing Plugin 2.2.5 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. | |||||
| CVE-2022-43424 | 1 Jenkins | 2 Compuware Xpediter Code Coverage, Jenkins | 2024-02-28 | N/A | 5.3 MEDIUM |
| Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | |||||
| CVE-2022-41224 | 1 Jenkins | 1 Jenkins | 2024-02-28 | N/A | 5.4 MEDIUM |
| Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component. | |||||
| CVE-2022-43413 | 1 Jenkins | 1 Job Import | 2024-02-28 | N/A | 4.3 MEDIUM |
| Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-41239 | 1 Jenkins | 1 Dotci | 2024-02-28 | N/A | 5.4 MEDIUM |
| Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-45391 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2024-02-28 | N/A | 7.5 HIGH |
| Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. | |||||
| CVE-2022-36917 | 1 Jenkins | 1 Google Cloud Backup | 2024-02-28 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Google Cloud Backup Plugin 0.6 and earlier allows attackers with Overall/Read permission to request a manual backup. | |||||
| CVE-2022-36922 | 1 Jenkins | 1 Lucene-search | 2024-02-28 | N/A | 6.1 MEDIUM |
| Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the search query parameter displayed on the 'search' result page, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-36912 | 1 Jenkins | 1 Openstack Heat | 2024-02-28 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-41237 | 1 Jenkins | 1 Dotci | 2024-02-28 | N/A | 9.8 CRITICAL |
| Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2022-36900 | 1 Jenkins | 2 Compuware Zadviser Api, Jenkins | 2024-02-28 | N/A | 8.2 HIGH |
| Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties. | |||||
| CVE-2022-36885 | 1 Jenkins | 1 Github | 2024-02-28 | N/A | 5.3 MEDIUM |
| Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. | |||||
| CVE-2022-41231 | 1 Jenkins | 1 Build-publisher | 2024-02-28 | N/A | 5.7 MEDIUM |
| Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. | |||||
| CVE-2022-43403 | 1 Jenkins | 1 Script Security | 2024-02-28 | N/A | 9.9 CRITICAL |
| A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | |||||
| CVE-2022-36881 | 1 Jenkins | 1 Git Client | 2024-02-28 | N/A | 8.1 HIGH |
| Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. | |||||
| CVE-2022-41235 | 1 Jenkins | 1 Wildfly Deployer | 2024-02-28 | N/A | 5.3 MEDIUM |
| Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2022-43428 | 1 Jenkins | 2 Compuware Topaz For Total Test, Jenkins | 2024-02-28 | N/A | 5.3 MEDIUM |
| Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | |||||
| CVE-2022-43409 | 1 Jenkins | 1 Pipeline\ | 2024-02-28 | N/A | 5.4 MEDIUM |
| Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines. | |||||
| CVE-2022-45393 | 1 Jenkins | 1 Delete Log | 2024-02-28 | N/A | 3.5 LOW |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. | |||||
| CVE-2022-38664 | 1 Jenkins | 1 Job Configuration History | 2024-02-28 | N/A | 5.4 MEDIUM |
| Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names. | |||||