Filtered by vendor Jenkins
Subscribe
Total
1727 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32980 | 1 Jenkins | 1 Email Extension | 2025-01-23 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job. | |||||
| CVE-2023-32979 | 1 Jenkins | 1 Email Extension | 2025-01-23 | N/A | 4.3 MEDIUM |
| Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system. | |||||
| CVE-2023-32978 | 1 Jenkins | 1 Lightweight Directory Access Protocol | 2025-01-23 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. | |||||
| CVE-2023-32977 | 1 Jenkins | 1 Pipeline\ | 2025-01-23 | N/A | 5.4 MEDIUM |
| Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. | |||||
| CVE-2023-35142 | 1 Jenkins | 1 Checkmarx | 2025-01-02 | N/A | 8.1 HIGH |
| Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default. | |||||
| CVE-2023-35144 | 1 Jenkins | 1 Maven Repository Server | 2025-01-02 | N/A | 5.4 MEDIUM |
| Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2023-35143 | 1 Jenkins | 1 Maven Repository Server | 2025-01-02 | N/A | 5.4 MEDIUM |
| Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`. | |||||
| CVE-2023-35141 | 1 Jenkins | 1 Jenkins | 2025-01-02 | N/A | 8.0 HIGH |
| In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu. | |||||
| CVE-2023-35145 | 1 Jenkins | 1 Sonargraph Integration | 2025-01-02 | N/A | 5.4 MEDIUM |
| Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-35148 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-31 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2023-35147 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-12-31 | N/A | 6.5 MEDIUM |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-35149 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-30 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2023-3315 | 1 Jenkins | 1 Team Concert | 2024-12-11 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | |||||
| CVE-2024-23903 | 1 Jenkins | 1 Github Branch Source | 2024-11-21 | N/A | 5.3 MEDIUM |
| Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
| CVE-2023-50779 | 1 Jenkins | 1 Paaslane Estimate | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. | |||||
| CVE-2023-50778 | 1 Jenkins | 1 Paaslane Estimate | 2024-11-21 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token. | |||||
| CVE-2023-50776 | 1 Jenkins | 1 Paaslane Estimate | 2024-11-21 | N/A | 4.3 MEDIUM |
| Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-50775 | 1 Jenkins | 1 Deployment Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs. | |||||
| CVE-2023-50774 | 1 Jenkins | 1 Html Resource | 2024-11-21 | N/A | 8.1 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-50773 | 1 Jenkins | 1 Dingding Json Pusher | 2024-11-21 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||