Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1605 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-40351 1 Jenkins 1 Favorite View 2024-02-28 N/A 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar.
CVE-2023-37946 1 Jenkins 1 Openshift Login 2024-02-28 N/A 8.8 HIGH
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.
CVE-2023-46657 1 Jenkins 1 Gogs 2024-02-28 N/A 5.3 MEDIUM
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
CVE-2023-39153 1 Jenkins 1 Gitlab Authentication 2024-02-28 N/A 5.4 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.
CVE-2023-46659 1 Jenkins 1 Edgewall Trac 2024-02-28 N/A 5.4 MEDIUM
Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2023-41935 1 Jenkins 1 Azure Ad 2024-02-28 N/A 7.5 HIGH
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
CVE-2023-43499 1 Jenkins 1 Build Failure Analyzer 2024-02-28 N/A 5.4 MEDIUM
Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.
CVE-2023-41931 1 Jenkins 1 Job Configuration History 2024-02-28 N/A 5.4 MEDIUM
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.
CVE-2023-37947 1 Jenkins 1 Openshift Login 2024-02-28 N/A 6.1 MEDIUM
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
CVE-2023-41938 1 Jenkins 1 Ivy 2024-02-28 N/A 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.
CVE-2023-37949 1 Jenkins 1 Orka By Macstadium 2024-02-28 N/A 7.1 HIGH
A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-40337 1 Jenkins 1 Folders 2024-02-28 N/A 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.
CVE-2023-39154 1 Jenkins 1 Qualys Web App Scanning Connector 2024-02-28 N/A 6.5 MEDIUM
Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-41930 1 Jenkins 1 Job Configuration History 2024-02-28 N/A 4.3 MEDIUM
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.
CVE-2023-37953 1 Jenkins 1 Mabl 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-43496 1 Jenkins 1 Jenkins 2024-02-28 N/A 8.8 HIGH
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
CVE-2023-40347 1 Jenkins 1 Maven Artifact Choicelistprovider \(nexus\) 2024-02-28 N/A 6.5 MEDIUM
Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
CVE-2023-43502 1 Jenkins 1 Build Failure Analyzer 2024-02-28 N/A 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes.
CVE-2023-39155 1 Jenkins 1 Chef Identity 2024-02-28 N/A 5.3 MEDIUM
Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.
CVE-2023-46656 1 Jenkins 1 Multibranch Scan Webhook Trigger 2024-02-28 N/A 5.3 MEDIUM
Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.