Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-49653 | 1 Jenkins | 1 Jira | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | |||||
CVE-2023-49654 | 1 Jenkins | 1 Matlab | 2023-12-10 | N/A | 9.8 CRITICAL |
Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system. | |||||
CVE-2023-49673 | 1 Jenkins | 4 Google Compute Engine, Jira, Matlab and 1 more | 2023-12-10 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | |||||
CVE-2023-49656 | 1 Jenkins | 1 Matlab | 2023-12-10 | N/A | 9.8 CRITICAL |
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-49652 | 1 Jenkins | 1 Google Compute Engine | 2023-12-10 | N/A | 2.7 LOW |
Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1. | |||||
CVE-2023-49655 | 1 Jenkins | 1 Matlab | 2023-12-10 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system. | |||||
CVE-2023-49674 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. | |||||
CVE-2023-40350 | 1 Jenkins | 1 Docker Swarm | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker. | |||||
CVE-2023-37944 | 1 Jenkins | 1 Datadog | 2023-12-10 | N/A | 6.5 MEDIUM |
A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-39152 | 1 Jenkins | 1 Gradle | 2023-12-10 | N/A | 6.5 MEDIUM |
Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances. | |||||
CVE-2023-46654 | 1 Jenkins | 1 Cloudbees Cd | 2023-12-10 | N/A | 8.1 HIGH |
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system. | |||||
CVE-2023-43500 | 1 Jenkins | 1 Build Failure Analyzer | 2023-12-10 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | |||||
CVE-2023-41932 | 1 Jenkins | 1 Job Configuration History | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'. | |||||
CVE-2023-41933 | 1 Jenkins | 1 Job Configuration History | 2023-12-10 | N/A | 8.8 HIGH |
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-37954 | 1 Jenkins | 1 Rebuilder | 2023-12-10 | N/A | 4.3 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier allows attackers to rebuild a previous build. | |||||
CVE-2023-37947 | 1 Jenkins | 1 Openshift Login | 2023-12-10 | N/A | 6.1 MEDIUM |
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | |||||
CVE-2023-40344 | 1 Jenkins | 1 Delphix | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
CVE-2023-40346 | 1 Jenkins | 1 Shortcut Job | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs. | |||||
CVE-2023-37945 | 1 Jenkins | 1 Saml Single Sign On | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm. | |||||
CVE-2023-43495 | 1 Jenkins | 1 Jenkins | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. |