Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1331 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-43411 1 Jenkins 1 Gitlab 2022-10-20 N/A 5.3 MEDIUM
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
CVE-2022-43423 1 Jenkins 2 Compuware Source Code Download For Endevor\, Pds\, And Ispw, Jenkins 2022-10-20 N/A 5.3 MEDIUM
Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
CVE-2022-34175 1 Jenkins 1 Jenkins 2022-10-20 5.0 MEDIUM 7.5 HIGH
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
CVE-2017-2601 1 Jenkins 1 Jenkins 2022-10-19 3.5 LOW 5.4 MEDIUM
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVE-2022-27206 1 Jenkins 1 Gitlab Authentication 2022-10-17 4.0 MEDIUM 6.5 MEDIUM
Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
CVE-2022-27201 1 Jenkins 2 Jenkins, Semantic Versioning 2022-10-17 4.0 MEDIUM 6.5 MEDIUM
Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
CVE-2022-27195 1 Jenkins 1 Parameterized Remote Trigger 2022-10-17 2.1 LOW 5.5 MEDIUM
Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.
CVE-2020-2094 1 Jenkins 1 Health Advisor By Cloudbees 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.
CVE-2022-20614 2 Jenkins, Oracle 2 Mailer, Communications Cloud Native Core Automated Test Suite 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.
CVE-2022-20618 1 Jenkins 1 Bitbucket Branch Source 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2022-20616 1 Jenkins 1 Credentials Binding 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.
CVE-2022-20620 1 Jenkins 1 Ssh Agent 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2022-27199 1 Jenkins 1 Cloudbees Aws Credentials 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.
CVE-2022-27215 1 Jenkins 1 Release Helper 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-27205 1 Jenkins 1 Extended Choice Parameter 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
CVE-2022-28137 1 Jenkins 1 Jiratestresultreporter 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-34796 1 Jenkins 1 Deployment Dashboard 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2022-28147 1 Jenkins 1 Continuous Integration With Toad Edge 2022-10-17 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
CVE-2019-10433 1 Jenkins 1 Dingding 2022-10-11 2.1 LOW 3.3 LOW
Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2022-34200 1 Jenkins 1 Convertigo Mobile Platform 2022-10-07 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL.