Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1608 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-30518 1 Jenkins 1 Thycotic Secret Server 2024-02-28 N/A 4.3 MEDIUM
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-28668 1 Jenkins 1 Role-based Authorization Strategy 2024-02-28 N/A 9.8 CRITICAL
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.
CVE-2023-30530 1 Jenkins 1 Consul Kv Builder 2024-02-28 N/A 4.3 MEDIUM
Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
CVE-2023-28682 1 Jenkins 1 Performance Publisher 2024-02-28 N/A 8.2 HIGH
Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28681 1 Jenkins 1 Visual Studio Code Metrics 2024-02-28 N/A 8.2 HIGH
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-32985 1 Jenkins 1 Sidebar Link 2024-02-28 N/A 4.3 MEDIUM
Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
CVE-2023-32992 1 Jenkins 1 Saml Single Sign On 2024-02-28 N/A 8.8 HIGH
Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.
CVE-2023-2633 1 Jenkins 1 Code Dx 2024-02-28 N/A 4.3 MEDIUM
Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.
CVE-2023-35149 1 Jenkins 1 Digital.ai App Management Publisher 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
CVE-2023-32980 1 Jenkins 1 Email Extension 2024-02-28 N/A 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.
CVE-2023-32990 1 Jenkins 1 Azure Vm Agents 2024-02-28 N/A 6.5 MEDIUM
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.
CVE-2023-35147 1 Jenkins 1 Aws Codecommit Trigger 2024-02-28 N/A 6.5 MEDIUM
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.
CVE-2023-30513 1 Jenkins 1 Kubernetes 2024-02-28 N/A 7.5 HIGH
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
CVE-2023-28683 1 Jenkins 1 Phabricator Differential 2024-02-28 N/A 8.2 HIGH
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-32982 1 Jenkins 1 Ansible 2024-02-28 N/A 4.3 MEDIUM
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2023-2632 1 Jenkins 1 Code Dx 2024-02-28 N/A 4.3 MEDIUM
Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2023-28676 1 Jenkins 1 Convert To Pipeline 2024-02-28 N/A 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).
CVE-2023-35148 1 Jenkins 1 Digital.ai App Management Publisher 2024-02-28 N/A 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
CVE-2023-30515 1 Jenkins 1 Thycotic Devops Secrets Vault 2024-02-28 N/A 7.5 HIGH
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
CVE-2023-33001 1 Jenkins 1 Hashicorp Vault 2024-02-28 N/A 7.5 HIGH
Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.