Filtered by vendor Jenkins
Subscribe
Total
1605 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-3414 | 1 Jenkins | 1 Servicenow Devops | 2024-02-28 | N/A | 6.5 MEDIUM |
A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform. | |||||
CVE-2023-37961 | 1 Jenkins | 1 Assembla | 2024-02-28 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
CVE-2023-37943 | 1 Jenkins | 1 Active Directory | 2024-02-28 | N/A | 5.9 MEDIUM |
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials. | |||||
CVE-2023-37942 | 1 Jenkins | 1 External Monitor Job Type | 2024-02-28 | N/A | 6.5 MEDIUM |
Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-37963 | 1 Jenkins | 1 Benchmark Evaluator | 2024-02-28 | N/A | 5.4 MEDIUM |
A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system. | |||||
CVE-2023-41933 | 1 Jenkins | 1 Job Configuration History | 2024-02-28 | N/A | 8.8 HIGH |
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2024-02-28 | N/A | 5.4 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2024-02-28 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-40341 | 1 Jenkins | 1 Blue Ocean | 2024-02-28 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. | |||||
CVE-2023-43500 | 1 Jenkins | 1 Build Failure Analyzer | 2024-02-28 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | |||||
CVE-2023-32998 | 1 Jenkins | 1 Appspider | 2024-02-28 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | |||||
CVE-2023-33003 | 1 Jenkins | 1 Tag Profiler | 2024-02-28 | N/A | 4.3 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers to reset profiler statistics. | |||||
CVE-2023-35143 | 1 Jenkins | 1 Maven Repository Server | 2024-02-28 | N/A | 5.4 MEDIUM |
Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`. | |||||
CVE-2023-28677 | 1 Jenkins | 1 Convert To Pipeline | 2024-02-28 | N/A | 9.8 CRITICAL |
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin. | |||||
CVE-2023-28678 | 1 Jenkins | 1 Cppcheck | 2024-02-28 | N/A | 5.4 MEDIUM |
Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents. | |||||
CVE-2023-32997 | 1 Jenkins | 1 Cas | 2024-02-28 | N/A | 8.8 HIGH |
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login. | |||||
CVE-2023-28674 | 1 Jenkins | 1 Octoperf Load Testing | 2024-02-28 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials. | |||||
CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2024-02-28 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | |||||
CVE-2023-32986 | 1 Jenkins | 1 File Parameters | 2024-02-28 | N/A | 8.8 HIGH |
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. | |||||
CVE-2023-28679 | 1 Jenkins | 1 Mashup Portlets | 2024-02-28 | N/A | 5.4 MEDIUM |
Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission. |