ReportizFlow
Filtered by vendor Jenkins
Subscriptions
Total
1743 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-35146 | 1 Jenkins | 1 Template Workflows | 2024-12-31 | 5.4 Medium |
| Jenkins Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs. | ||||
| CVE-2023-35148 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-31 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | ||||
| CVE-2023-35147 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-12-31 | 6.5 Medium |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system. | ||||
| CVE-2023-35149 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-30 | 6.5 Medium |
| A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | ||||
| CVE-2023-3315 | 1 Jenkins | 1 Team Concert | 2024-12-11 | 4.3 Medium |
| Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | ||||
| CVE-2023-4303 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.3 Medium |
| Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability. | ||||
| CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.2 Medium |
| A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.2 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-49652 | 1 Jenkins | 1 Google Compute Engine | 2024-11-21 | 2.7 Low |
| Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1. | ||||
| CVE-2023-46651 | 1 Jenkins | 1 Warnings | 2024-11-21 | 6.5 Medium |
| Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1. | ||||
| CVE-2023-43502 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes. | ||||
| CVE-2023-43501 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 6.5 Medium |
| A missing permission check in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. | ||||
| CVE-2023-43500 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | ||||
| CVE-2023-43499 | 1 Jenkins | 1 Build Failure Analyzer | 2024-11-21 | 5.4 Medium |
| Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes. | ||||
| CVE-2023-43498 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 8.1 High |
| In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | ||||
| CVE-2023-43497 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 8.1 High |
| In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | ||||
| CVE-2023-43495 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.4 Medium |
| Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. | ||||
| CVE-2023-43494 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.3 Medium |
| Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. | ||||
| CVE-2023-41947 | 1 Jenkins | 1 Frugal Testing | 2024-11-21 | 4.3 Medium |
| A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials. | ||||
| CVE-2023-41946 | 1 Jenkins | 1 Frugal Testing | 2024-11-21 | 3.5 Low |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | ||||