VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,579 total · sorted by risk
  • CVE-2023-37959MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.00

    A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2023-37956MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2023-37952MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins mabl Plugin 0.0.46 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-37951MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

  • CVE-2023-37944MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-37942MedJul 12, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-35149MedJun 14, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

  • CVE-2023-35148MedJun 14, 2023
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

  • CVE-2023-35147MedJun 14, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

  • CVE-2023-32990MedMay 16, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

  • CVE-2023-30532MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

  • CVE-2023-30531MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.00

    Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2023-30528MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2023-30526MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

  • CVE-2023-30516MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.00

    Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation…

  • CVE-2023-28684MedApr 2, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-28672MedApr 2, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…

  • CVE-2023-27901HigMar 10, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of…

  • CVE-2023-27900HigMar 10, 2023
    risk 0.42cvss 7.5epss 0.01

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of…

  • CVE-2023-24459MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2023-24453MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2023-24450MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2023-24448MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

  • CVE-2023-24438MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2023-24435MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2023-24433MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-45385HigNov 15, 2022
    risk 0.42cvss 7.5epss 0.01

    A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

  • CVE-2022-45384MedNov 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

  • CVE-2022-45379HigNov 15, 2022
    risk 0.42cvss 7.5epss 0.00

    Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

  • CVE-2022-43430HigOct 19, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-43415HigOct 19, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-41255MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-41254MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-41250MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-41246MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2022-38665MedAug 23, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-36911MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2022-36909MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins…

  • CVE-2022-36908MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins controller…

  • CVE-2022-36907MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2022-36906MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2022-36883HigJul 27, 2022
    risk 0.42cvss 7.5epss 0.05

    A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

  • CVE-2022-34810MedJun 30, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-34809MedJun 30, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34805MedJun 30, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34213MedJun 23, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34207MedJun 23, 2022
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2022-34205MedJun 23, 2022
    risk 0.42cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers to send HTTP POST requests to an attacker-specified URL.

  • CVE-2022-34180HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any…

  • CVE-2022-34179HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.02

    Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without…

Page 9 of 32