Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1605 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-49653 1 Jenkins 1 Jira 2024-02-28 N/A 6.5 MEDIUM
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
CVE-2023-50769 1 Jenkins 1 Nexus Platform 2024-02-28 N/A 4.3 MEDIUM
Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2024-23900 1 Jenkins 1 Matrix Project 2024-02-28 N/A 4.3 MEDIUM
Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.
CVE-2024-23899 1 Jenkins 1 Git Server 2024-02-28 N/A 6.5 MEDIUM
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
CVE-2024-23904 1 Jenkins 1 Log Command 2024-02-28 N/A 7.5 HIGH
Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.
CVE-2023-37962 1 Jenkins 1 Benchmark Evaluator 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.
CVE-2023-41945 1 Jenkins 1 Assembla Auth 2024-02-28 N/A 8.8 HIGH
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.
CVE-2023-41944 1 Jenkins 1 Aws Codecommit Trigger 2024-02-28 N/A 6.1 MEDIUM
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.
CVE-2023-40350 1 Jenkins 1 Docker Swarm 2024-02-28 N/A 5.4 MEDIUM
Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.
CVE-2023-37956 1 Jenkins 1 Test Results Aggregator 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2023-43495 1 Jenkins 1 Jenkins 2024-02-28 N/A 5.4 MEDIUM
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.
CVE-2023-41946 1 Jenkins 1 Frugal Testing 2024-02-28 N/A 3.5 LOW
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.
CVE-2023-41937 1 Jenkins 1 Bitbucket Push And Pull Request 2024-02-28 N/A 7.5 HIGH
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.
CVE-2023-37954 1 Jenkins 1 Rebuilder 2024-02-28 N/A 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier allows attackers to rebuild a previous build.
CVE-2023-40345 1 Jenkins 1 Delphix 2024-02-28 N/A 6.5 MEDIUM
Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.
CVE-2023-40339 1 Jenkins 1 Config File Provider 2024-02-28 N/A 7.5 HIGH
Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.
CVE-2023-40346 1 Jenkins 1 Shortcut Job 2024-02-28 N/A 5.4 MEDIUM
Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.
CVE-2023-46655 1 Jenkins 1 Cloudbees Cd 2024-02-28 N/A 6.5 MEDIUM
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.
CVE-2023-41941 1 Jenkins 1 Aws Codecommit Trigger 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.
CVE-2023-46658 1 Jenkins 1 Msteams Webhook Trigger 2024-02-28 N/A 5.3 MEDIUM
Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.