Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-37956 | 1 Jenkins | 1 Test Results Aggregator | 2023-12-10 | N/A | 6.5 MEDIUM |
A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
CVE-2023-37949 | 1 Jenkins | 1 Orka By Macstadium | 2023-12-10 | N/A | 7.1 HIGH |
A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-39151 | 1 Jenkins | 1 Jenkins | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. | |||||
CVE-2023-41943 | 1 Jenkins | 1 Aws Codecommit Trigger | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. | |||||
CVE-2023-37953 | 1 Jenkins | 1 Mabl | 2023-12-10 | N/A | 6.5 MEDIUM |
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-3414 | 1 Jenkins | 1 Servicenow Devops | 2023-12-10 | N/A | 6.5 MEDIUM |
A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform. | |||||
CVE-2023-46652 | 1 Jenkins | 1 Lambdatest-automation | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. | |||||
CVE-2023-40342 | 1 Jenkins | 1 Flaky Test Handler | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents. | |||||
CVE-2023-37950 | 1 Jenkins | 1 Mabl | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
CVE-2023-40345 | 1 Jenkins | 1 Delphix | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to. | |||||
CVE-2023-46651 | 1 Jenkins | 1 Warnings | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1. | |||||
CVE-2023-46653 | 1 Jenkins | 1 Lambdatest-automation | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure. | |||||
CVE-2023-41939 | 1 Jenkins | 1 Ssh2 Easy | 2023-12-10 | N/A | 8.8 HIGH |
Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | |||||
CVE-2023-37963 | 1 Jenkins | 1 Benchmark Evaluator | 2023-12-10 | N/A | 5.4 MEDIUM |
A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system. | |||||
CVE-2023-46658 | 1 Jenkins | 1 Msteams Webhook Trigger | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
CVE-2023-46657 | 1 Jenkins | 1 Gogs | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
CVE-2023-37946 | 1 Jenkins | 1 Openshift Login | 2023-12-10 | N/A | 8.8 HIGH |
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login. | |||||
CVE-2023-37955 | 1 Jenkins | 1 Test Results Aggregator | 2023-12-10 | N/A | 6.5 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
CVE-2023-41931 | 1 Jenkins | 1 Job Configuration History | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
CVE-2023-40347 | 1 Jenkins | 1 Maven Artifact Choicelistprovider \(nexus\) | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. |