Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1648 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-34176 1 Jenkins 1 Junit 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
CVE-2022-34175 1 Jenkins 1 Jenkins 2024-11-21 5.0 MEDIUM 7.5 HIGH
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
CVE-2022-34174 1 Jenkins 1 Jenkins 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
CVE-2022-34173 1 Jenkins 1 Jenkins 2024-11-21 4.3 MEDIUM 5.4 MEDIUM
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2022-34172 1 Jenkins 1 Jenkins 2024-11-21 4.3 MEDIUM 5.4 MEDIUM
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
CVE-2022-34171 1 Jenkins 1 Jenkins 2024-11-21 4.3 MEDIUM 5.4 MEDIUM
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.
CVE-2022-34170 1 Jenkins 1 Jenkins 2024-11-21 4.3 MEDIUM 5.4 MEDIUM
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2022-30972 1 Jenkins 1 Storage Configs 2024-11-21 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
CVE-2022-30971 1 Jenkins 1 Storable Configs 2024-11-21 6.5 MEDIUM 8.8 HIGH
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-30970 1 Jenkins 1 Autocomplete Parameter 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30969 1 Jenkins 1 Autocomplete Parameter 2024-11-21 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.
CVE-2022-30968 1 Jenkins 1 Vboxwrapper 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30967 1 Jenkins 1 Selection Tasks 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30966 1 Jenkins 1 Random String Parameter 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30965 1 Jenkins 1 Promoted Builds 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30964 1 Jenkins 1 Multiselect Parameter 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30963 1 Jenkins 1 Jdk Parameter 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30962 1 Jenkins 1 Global Variable String Parameter 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30961 1 Jenkins 1 Autocomplete Parameter 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-30960 1 Jenkins 1 Application Detector 2024-11-21 3.5 LOW 5.4 MEDIUM
Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.