Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1331 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-45392 1 Jenkins 1 Ns-nd Integration Performance Publisher 2022-11-18 N/A 6.5 MEDIUM
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
CVE-2022-45391 1 Jenkins 1 Ns-nd Integration Performance Publisher 2022-11-18 N/A 7.5 HIGH
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
CVE-2022-45401 1 Jenkins 1 Associated Files 2022-11-18 N/A 5.4 MEDIUM
Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-45387 1 Jenkins 1 Bart 2022-11-17 N/A 5.4 MEDIUM
Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.
CVE-2022-30945 1 Jenkins 1 Pipeline\ 2022-11-16 6.8 MEDIUM 8.5 HIGH
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
CVE-2022-30952 1 Jenkins 1 Blue Ocean 2022-11-11 4.0 MEDIUM 6.5 MEDIUM
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
CVE-2020-2091 1 Jenkins 1 Amazon Ec2 2022-11-08 5.5 MEDIUM 8.1 HIGH
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
CVE-2022-34173 1 Jenkins 1 Jenkins 2022-11-05 4.3 MEDIUM 6.1 MEDIUM
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2022-34171 1 Jenkins 1 Jenkins 2022-11-05 4.3 MEDIUM 6.1 MEDIUM
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.
CVE-2022-34172 1 Jenkins 1 Jenkins 2022-11-05 4.3 MEDIUM 6.1 MEDIUM
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
CVE-2022-34170 1 Jenkins 1 Jenkins 2022-11-05 4.3 MEDIUM 6.1 MEDIUM
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2022-43410 1 Jenkins 1 Mercurial 2022-11-03 N/A 5.3 MEDIUM
Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.
CVE-2022-43401 1 Jenkins 1 Script Security 2022-10-31 N/A 9.9 CRITICAL
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
CVE-2020-2231 1 Jenkins 1 Jenkins 2022-10-28 3.5 LOW 5.4 MEDIUM
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
CVE-2022-25193 1 Jenkins 1 Snow Commander 2022-10-28 4.0 MEDIUM 6.5 MEDIUM
Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2022-25175 1 Jenkins 1 Pipeline\ 2022-10-28 6.5 MEDIUM 8.8 HIGH
Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVE-2022-25192 1 Jenkins 1 Snow Commander 2022-10-28 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2022-29048 2 Apple, Jenkins 2 Macos, Subversion 2022-10-27 4.3 MEDIUM 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.
CVE-2022-29046 2 Apple, Jenkins 2 Macos, Subversion 2022-10-27 3.5 LOW 5.4 MEDIUM
Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-2048 4 Debian, Eclipse, Jenkins and 1 more 8 Debian Linux, Jetty, Jenkins and 5 more 2022-10-25 5.0 MEDIUM 7.5 HIGH
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.