Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1605 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-41932 1 Jenkins 1 Job Configuration History 2024-02-28 N/A 6.5 MEDIUM
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.
CVE-2023-41936 1 Jenkins 1 Google Login 2024-02-28 N/A 7.5 HIGH
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.
CVE-2023-46651 1 Jenkins 1 Warnings 2024-02-28 N/A 6.5 MEDIUM
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.
CVE-2023-46660 1 Jenkins 1 Zanata 2024-02-28 N/A 5.3 MEDIUM
Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
CVE-2023-40336 1 Jenkins 1 Folders 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.
CVE-2023-37959 1 Jenkins 1 Sumologic Publisher 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
CVE-2023-41943 1 Jenkins 1 Aws Codecommit Trigger 2024-02-28 N/A 6.5 MEDIUM
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.
CVE-2023-37958 1 Jenkins 1 Sumologic Publisher 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL.
CVE-2023-43494 1 Jenkins 1 Jenkins 2024-02-28 N/A 4.3 MEDIUM
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
CVE-2023-3442 1 Jenkins 1 Servicenow Devops 2024-02-28 N/A 7.5 HIGH
A missing authorization vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.
CVE-2023-40340 1 Jenkins 1 Nodejs 2024-02-28 N/A 7.5 HIGH
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
CVE-2023-40342 1 Jenkins 1 Flaky Test Handler 2024-02-28 N/A 5.4 MEDIUM
Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.
CVE-2023-46650 1 Jenkins 1 Github 2024-02-28 N/A 5.4 MEDIUM
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2023-40343 1 Jenkins 1 Tuleap Authentication 2024-02-28 N/A 5.9 MEDIUM
Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.
CVE-2023-39156 1 Jenkins 1 Bazaar 2024-02-28 N/A 5.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.
CVE-2023-41947 1 Jenkins 1 Frugal Testing 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.
CVE-2023-37952 1 Jenkins 1 Mabl 2024-02-28 N/A 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins mabl Plugin 0.0.46 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-37964 1 Jenkins 1 Elasticbox Ci 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-40344 1 Jenkins 1 Delphix 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-37960 1 Jenkins 1 Mathworks Polyspace 2024-02-28 N/A 6.5 MEDIUM
Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file systems.