Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1605 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-3414 1 Jenkins 1 Servicenow Devops 2024-02-28 N/A 6.5 MEDIUM
A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.
CVE-2023-37961 1 Jenkins 1 Assembla 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account.
CVE-2023-37943 1 Jenkins 1 Active Directory 2024-02-28 N/A 5.9 MEDIUM
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
CVE-2023-37942 1 Jenkins 1 External Monitor Job Type 2024-02-28 N/A 6.5 MEDIUM
Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-37963 1 Jenkins 1 Benchmark Evaluator 2024-02-28 N/A 5.4 MEDIUM
A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.
CVE-2023-41933 1 Jenkins 1 Job Configuration History 2024-02-28 N/A 8.8 HIGH
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-4301 1 Jenkins 1 Fortify 2024-02-28 N/A 5.4 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-4302 1 Jenkins 1 Fortify 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-40341 1 Jenkins 1 Blue Ocean 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.
CVE-2023-43500 1 Jenkins 1 Build Failure Analyzer 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
CVE-2023-32998 1 Jenkins 1 Appspider 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
CVE-2023-33003 1 Jenkins 1 Tag Profiler 2024-02-28 N/A 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers to reset profiler statistics.
CVE-2023-35143 1 Jenkins 1 Maven Repository Server 2024-02-28 N/A 5.4 MEDIUM
Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`.
CVE-2023-28677 1 Jenkins 1 Convert To Pipeline 2024-02-28 N/A 9.8 CRITICAL
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.
CVE-2023-28678 1 Jenkins 1 Cppcheck 2024-02-28 N/A 5.4 MEDIUM
Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.
CVE-2023-32997 1 Jenkins 1 Cas 2024-02-28 N/A 8.8 HIGH
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
CVE-2023-28674 1 Jenkins 1 Octoperf Load Testing 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
CVE-2023-30522 1 Jenkins 1 Fogbugz 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.
CVE-2023-32986 1 Jenkins 1 File Parameters 2024-02-28 N/A 8.8 HIGH
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
CVE-2023-28679 1 Jenkins 1 Mashup Portlets 2024-02-28 N/A 5.4 MEDIUM
Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.