Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-32983 | 1 Jenkins | 1 Ansible | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. | |||||
CVE-2023-33007 | 1 Jenkins | 1 Loadcomplete Support | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
CVE-2023-30523 | 1 Jenkins | 1 Report Portal | 2023-12-10 | N/A | 4.3 MEDIUM |
Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
CVE-2023-2631 | 1 Jenkins | 1 Code Dx | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
CVE-2023-30517 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. | |||||
CVE-2023-28679 | 1 Jenkins | 1 Mashup Portlets | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission. | |||||
CVE-2023-28683 | 1 Jenkins | 1 Phabricator Differential | 2023-12-10 | N/A | 8.2 HIGH |
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-28676 | 1 Jenkins | 1 Convert To Pipeline | 2023-12-10 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE). | |||||
CVE-2023-35143 | 1 Jenkins | 1 Maven Repository Server | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`. | |||||
CVE-2023-33005 | 1 Jenkins | 1 Wso2 Oauth | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login. | |||||
CVE-2023-30521 | 1 Jenkins | 1 Assembla Merge Request Builder | 2023-12-10 | N/A | 5.3 MEDIUM |
A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | |||||
CVE-2023-32978 | 1 Jenkins | 1 Lightweight Directory Access Protocol | 2023-12-10 | N/A | 4.3 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. | |||||
CVE-2023-35145 | 1 Jenkins | 1 Sonargraph Integration | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission. | |||||
CVE-2023-30531 | 1 Jenkins | 1 Consul Kv Builder | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it. | |||||
CVE-2023-28685 | 1 Jenkins | 1 Absint A3 | 2023-12-10 | N/A | 7.1 HIGH |
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-32981 | 1 Jenkins | 1 Pipeline Utility Steps | 2023-12-10 | N/A | 8.8 HIGH |
An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content. | |||||
CVE-2023-28677 | 1 Jenkins | 1 Convert To Pipeline | 2023-12-10 | N/A | 9.8 CRITICAL |
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin. | |||||
CVE-2023-35144 | 1 Jenkins | 1 Maven Repository Server | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
CVE-2023-30515 | 1 Jenkins | 1 Thycotic Devops Secrets Vault | 2023-12-10 | N/A | 7.5 HIGH |
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. | |||||
CVE-2023-30527 | 1 Jenkins | 1 Wso2 Oauth | 2023-12-10 | N/A | 4.3 MEDIUM |
Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |