VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,578 total · sorted by risk
  • CVE-2022-46688MedDec 12, 2022
    risk 0.35cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through…

  • CVE-2022-46684MedDec 12, 2022
    risk 0.35cvss 5.4epss 0.00

    Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2022-45401MedNov 15, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-45383MedNov 15, 2022
    risk 0.35cvss 6.5epss 0.01

    An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.

  • CVE-2022-43425MedOct 19, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…

  • CVE-2022-43421MedOct 19, 2022
    risk 0.35cvss 5.3epss 0.01

    A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value.

  • CVE-2022-43419MedOct 19, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-43408MedOct 19, 2022
    risk 0.35cvss 6.5epss 0.00

    Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would…

  • CVE-2022-41242MedSep 21, 2022
    risk 0.35cvss 5.4epss 0.00

    A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

  • CVE-2022-41239MedSep 21, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2022-38663MedAug 23, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

  • CVE-2022-36902MedJul 27, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-36896MedJul 27, 2022
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

  • CVE-2022-36888MedJul 27, 2022
    risk 0.35cvss 6.5epss 0.01

    A missing permission check in Jenkins HashiCorp Vault Plugin 354.vdb_858fd6b_f48 and earlier allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys.

  • CVE-2022-34795MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

  • CVE-2022-34791MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34790MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34787MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.

  • CVE-2022-34786MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

  • CVE-2022-34784MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.

  • CVE-2022-34783MedJun 30, 2022
    risk 0.35cvss 5.4epss 0.80

    Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34198MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier does not escape the name and description of Stash Branch parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34196MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins REST List Parameter Plugin 1.5.2 and earlier does not escape the name and description of REST list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34195MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Repository Connector Plugin 2.2.0 and earlier does not escape the name and description of Maven Repository Artifact parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…

  • CVE-2022-34194MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Readonly Parameter Plugin 1.0.0 and earlier does not escape the name and description of Readonly String and Readonly Text parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-34192MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins ontrack Jenkins Plugin 4.0.0 and earlier does not escape the name of Ontrack: Multi Parameter choice, Ontrack: Parameter choice, and Ontrack: SingleParameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability…

  • CVE-2022-34187MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Filesystem List Parameter Plugin 0.0.7 and earlier does not escape the name and description of File system objects list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…

  • CVE-2022-34186MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape the name and description of Moded Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-34184MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description of CRX Content Package Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-34183MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34173MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2022-34172MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.

  • CVE-2022-34171MedJun 23, 2022
    risk 0.35cvss 5.4epss 0.01

    In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335)…

  • CVE-2022-30967MedMay 17, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…

  • CVE-2022-30965MedMay 17, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-30955MedMay 17, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-30954MedMay 17, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

  • CVE-2022-30953MedMay 17, 2022
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.

  • CVE-2022-29046MedApr 12, 2022
    risk 0.35cvss 5.4epss 0.02

    Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…

  • CVE-2022-29045MedApr 12, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-29040MedApr 12, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Git Parameter Plugin 0.9.15 and earlier does not escape the name and description of Git parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-29038MedApr 12, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-28153MedMar 29, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-28149MedMar 29, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-28134MedMar 29, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.

  • CVE-2022-28133MedMar 29, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

  • CVE-2022-27202MedMar 15, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with…

  • CVE-2022-25204MedFeb 15, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists.

  • CVE-2022-25203MedFeb 15, 2022
    risk 0.35cvss 5.4epss 0.01

    Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Read permission.

  • CVE-2022-25197MedFeb 15, 2022
    risk 0.35cvss 6.5epss 0.01

    Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

Page 14 of 32