VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2023-37964HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-37962HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

  • CVE-2023-37961HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-37958HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2023-37957HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token.

  • CVE-2023-37946HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.01

    Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.

  • CVE-2023-32998HigMay 16, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

  • CVE-2023-32995HigMay 16, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.

  • CVE-2023-32992HigMay 16, 2023
    risk 0.57cvss 8.8epss 0.01

    Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

  • CVE-2023-32991HigMay 16, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

  • CVE-2023-32989HigMay 16, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

  • CVE-2023-32987HigMay 16, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

  • CVE-2023-30525HigApr 12, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication.

  • CVE-2023-28676HigApr 2, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).

  • CVE-2023-28674HigApr 2, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

  • CVE-2023-28668CriApr 2, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

  • CVE-2023-25765CriFeb 15, 2023
    risk 0.57cvss 9.9epss 0.01

    In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the…

  • CVE-2023-24458HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2023-24456CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

  • CVE-2023-24452HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2023-24447HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

  • CVE-2023-24446HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-24443CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-24441CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-24437HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2023-24434HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2023-24432HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2023-24430CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-24429CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file…

  • CVE-2023-24427CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.01

    Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

  • CVE-2023-24426HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login.

  • CVE-2023-24424HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.

  • CVE-2022-46682CriDec 12, 2022
    risk 0.57cvss 9.8epss 0.01

    Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45397CriNov 15, 2022
    risk 0.57cvss 9.8epss 0.01

    Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-41253HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-41249HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-41245HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored…

  • CVE-2022-41236HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on…

  • CVE-2022-41234HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.01

    Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

  • CVE-2022-41226CriSep 21, 2022
    risk 0.57cvss 9.8epss 0.01

    Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-36920HigJul 27, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-30972HigMay 17, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or…

  • CVE-2022-30971HigMay 17, 2022
    risk 0.57cvss 8.8epss 0.01

    Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-30958HigMay 17, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-28150HigMar 29, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and item-specific permissions of a job.

  • CVE-2022-25209HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-25208HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

  • CVE-2022-25207HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

  • CVE-2022-25206HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials.

  • CVE-2022-25205HigFeb 15, 2022
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers to connect to an attacker-specified database via JDBC using attacker-specified credentials and to determine if a class is available in the Jenkins instance.

Page 2 of 32