Filtered by vendor Jenkins
Subscribe
Total
1605 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-49653 | 1 Jenkins | 1 Jira | 2024-02-28 | N/A | 6.5 MEDIUM |
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | |||||
CVE-2023-50769 | 1 Jenkins | 1 Nexus Platform | 2024-02-28 | N/A | 4.3 MEDIUM |
Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2024-23900 | 1 Jenkins | 1 Matrix Project | 2024-02-28 | N/A | 4.3 MEDIUM |
Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers. | |||||
CVE-2024-23899 | 1 Jenkins | 1 Git Server | 2024-02-28 | N/A | 6.5 MEDIUM |
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system. | |||||
CVE-2024-23904 | 1 Jenkins | 1 Log Command | 2024-02-28 | N/A | 7.5 HIGH |
Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. | |||||
CVE-2023-37962 | 1 Jenkins | 1 Benchmark Evaluator | 2024-02-28 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system. | |||||
CVE-2023-41945 | 1 Jenkins | 1 Assembla Auth | 2024-02-28 | N/A | 8.8 HIGH |
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. | |||||
CVE-2023-41944 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-02-28 | N/A | 6.1 MEDIUM |
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability. | |||||
CVE-2023-40350 | 1 Jenkins | 1 Docker Swarm | 2024-02-28 | N/A | 5.4 MEDIUM |
Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker. | |||||
CVE-2023-37956 | 1 Jenkins | 1 Test Results Aggregator | 2024-02-28 | N/A | 6.5 MEDIUM |
A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
CVE-2023-43495 | 1 Jenkins | 1 Jenkins | 2024-02-28 | N/A | 5.4 MEDIUM |
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. | |||||
CVE-2023-41946 | 1 Jenkins | 1 Frugal Testing | 2024-02-28 | N/A | 3.5 LOW |
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | |||||
CVE-2023-41937 | 1 Jenkins | 1 Bitbucket Push And Pull Request | 2024-02-28 | N/A | 7.5 HIGH |
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. | |||||
CVE-2023-37954 | 1 Jenkins | 1 Rebuilder | 2024-02-28 | N/A | 4.3 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier allows attackers to rebuild a previous build. | |||||
CVE-2023-40345 | 1 Jenkins | 1 Delphix | 2024-02-28 | N/A | 6.5 MEDIUM |
Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to. | |||||
CVE-2023-40339 | 1 Jenkins | 1 Config File Provider | 2024-02-28 | N/A | 7.5 HIGH |
Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | |||||
CVE-2023-40346 | 1 Jenkins | 1 Shortcut Job | 2024-02-28 | N/A | 5.4 MEDIUM |
Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs. | |||||
CVE-2023-46655 | 1 Jenkins | 1 Cloudbees Cd | 2024-02-28 | N/A | 6.5 MEDIUM |
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server. | |||||
CVE-2023-41941 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-02-28 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. | |||||
CVE-2023-46658 | 1 Jenkins | 1 Msteams Webhook Trigger | 2024-02-28 | N/A | 5.3 MEDIUM |
Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. |