Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1603 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21675 1 Jenkins 1 Requests 2023-12-27 4.3 MEDIUM 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.
CVE-2021-21655 1 Jenkins 1 P4 2023-12-27 5.8 MEDIUM 7.1 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2022-34790 1 Jenkins 1 Extreme Feedback Panel 2023-12-22 3.5 LOW 5.4 MEDIUM
Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-27209 1 Jenkins 1 Kubernetes Continuous Deploy 2023-12-22 4.0 MEDIUM 6.5 MEDIUM
A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2022-28134 1 Jenkins 1 Bitbucket Server Integration 2023-12-22 5.5 MEDIUM 5.4 MEDIUM
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.
CVE-2022-27216 1 Jenkins 1 Dbcharts 2023-12-22 4.0 MEDIUM 6.5 MEDIUM
Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
CVE-2022-27215 1 Jenkins 1 Release Helper 2023-12-22 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-27214 1 Jenkins 1 Release Helper 2023-12-22 4.0 MEDIUM 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-27213 1 Jenkins 1 Environment Dashboard 2023-12-22 3.5 LOW 5.4 MEDIUM
Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
CVE-2022-29052 1 Jenkins 1 Google Compute Engine 2023-12-22 4.0 MEDIUM 4.3 MEDIUM
Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
CVE-2022-29051 1 Jenkins 1 Publish Over Ftp 2023-12-22 4.0 MEDIUM 4.3 MEDIUM
Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.
CVE-2022-29050 1 Jenkins 1 Publish Over Ftp 2023-12-22 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials.
CVE-2022-28137 1 Jenkins 1 Jiratestresultreporter 2023-12-22 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-30946 1 Jenkins 1 Script Security 2023-12-22 4.3 MEDIUM 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
CVE-2022-27217 1 Jenkins 1 Vmware Vrealize Codestream 2023-12-21 4.0 MEDIUM 6.5 MEDIUM
Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
CVE-2022-30949 1 Jenkins 1 Repo 2023-12-21 5.0 MEDIUM 5.3 MEDIUM
Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
CVE-2022-29049 1 Jenkins 1 Promoted Builds 2023-12-21 4.0 MEDIUM 5.4 MEDIUM
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.
CVE-2022-29045 1 Jenkins 1 Promoted Builds 2023-12-21 3.5 LOW 5.4 MEDIUM
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-29047 1 Jenkins 1 Pipeline\ 2023-12-21 5.0 MEDIUM 5.3 MEDIUM
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
CVE-2022-25183 1 Jenkins 1 Pipeline\ 2023-12-21 6.5 MEDIUM 8.8 HIGH
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists.