VYPR

Jenkins Jira Pipeline Steps Plugin

by Jenkins Project

CVEs (19)

  • CVE-2023-24437HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2020-2166HigMar 25, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2017-2650HigJul 27, 2018
    risk 0.55cvss 8.5epss 0.01

    It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.

  • CVE-2023-32981HigMay 16, 2023
    risk 0.50cvss 8.8epss 0.01

    An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.

  • CVE-2022-43407HigOct 19, 2022
    risk 0.50cvss 8.8epss 0.00

    Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly…

  • CVE-2022-45381HigNov 15, 2022
    risk 0.46cvss 8.1epss 0.01

    Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines…

  • CVE-2023-24438MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2022-34177HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related…

  • CVE-2023-24440MedJan 26, 2023
    risk 0.36cvss 5.5epss 0.00

    Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2023-24439MedJan 26, 2023
    risk 0.36cvss 5.5epss 0.00

    Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-25762MedFeb 15, 2023
    risk 0.35cvss 5.4epss 0.81

    Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

  • CVE-2022-43408MedOct 19, 2022
    risk 0.35cvss 6.5epss 0.00

    Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would…

  • CVE-2022-25184MedFeb 15, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.

  • CVE-2019-10373MedAug 7, 2019
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

  • CVE-2023-32977MedMay 16, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

  • CVE-2020-2214MedJul 2, 2020
    risk 0.28cvss 5.4epss 0.01

    Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2020-2118MedFeb 12, 2020
    risk 0.00cvss 4.3epss 0.01

    A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2020-2117MedFeb 12, 2020
    risk 0.00cvss 4.3epss 0.01

    A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored…

  • CVE-2020-2116HigFeb 12, 2020
    risk 0.00cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.