VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,577 total · sorted by risk
  • CVE-2023-50773MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-50772MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-50767MedDec 13, 2023
    risk 0.28cvss 5.4epss 0.00

    Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

  • CVE-2023-49674MedNov 29, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.

  • CVE-2023-46652MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins.

  • CVE-2023-46650MedOct 25, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2023-41947MedSep 6, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.

  • CVE-2023-41942MedSep 6, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue.

  • CVE-2023-41941MedSep 6, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.

  • CVE-2023-41930MedSep 6, 2023
    risk 0.28cvss 4.3epss 0.01

    Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.

  • CVE-2023-40351MedAug 16, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar.

  • CVE-2023-40344MedAug 16, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2023-40338MedAug 16, 2023
    risk 0.28cvss 4.3epss 0.01

    Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.

  • CVE-2023-40337MedAug 16, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.

  • CVE-2023-39153MedJul 26, 2023
    risk 0.28cvss 5.4epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-39151MedJul 26, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

  • CVE-2023-37954MedJul 12, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier allows attackers to rebuild a previous build.

  • CVE-2023-37950MedJul 12, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2023-37945MedJul 12, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.

  • CVE-2023-33004MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers with Overall/Read permission to reset profiler statistics.

  • CVE-2023-33003MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers to reset profiler statistics.

  • CVE-2023-32999MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

  • CVE-2023-32996MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.

  • CVE-2023-32988MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2023-32984MedMay 16, 2023
    risk 0.28cvss 5.4epss 0.00

    Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able…

  • CVE-2023-32980MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.

  • CVE-2023-32979MedMay 16, 2023
    risk 0.28cvss 4.3epss 0.01

    Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file…

  • CVE-2023-32977MedMay 16, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

  • CVE-2023-30530MedApr 12, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-30527MedApr 12, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-30524MedApr 12, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-30523MedApr 12, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file…

  • CVE-2023-30522MedApr 12, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.

  • CVE-2023-30518MedApr 12, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2023-28675MedApr 2, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

  • CVE-2023-28673MedApr 2, 2023
    risk 0.28cvss 4.3epss 0.00

    A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2023-28671MedApr 2, 2023
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2023-28669MedApr 2, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

  • CVE-2023-27904MedMar 10, 2023
    risk 0.28cvss 5.3epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

  • CVE-2023-25764MedFeb 15, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or…

  • CVE-2023-25763MedFeb 15, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.

  • CVE-2023-25761MedFeb 15, 2023
    risk 0.28cvss 5.4epss 0.01

    Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by…

  • CVE-2023-24455MedJan 26, 2023
    risk 0.28cvss 4.3epss 0.01

    Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

  • CVE-2023-24449MedJan 26, 2023
    risk 0.28cvss 4.3epss 0.01

    Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

  • CVE-2023-24436MedJan 26, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2023-24431MedJan 26, 2023
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-46687MedDec 12, 2022
    risk 0.28cvss 5.4epss 0.00

    Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

  • CVE-2022-46686MedDec 12, 2022
    risk 0.28cvss 5.4epss 0.00

    Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to…

  • CVE-2022-45399MedNov 15, 2022
    risk 0.28cvss 4.3epss 0.01

    A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

  • CVE-2022-45398MedNov 15, 2022
    risk 0.28cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

Page 19 of 32