Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1603 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-37956 1 Jenkins 1 Test Results Aggregator 2023-12-10 N/A 6.5 MEDIUM
A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2023-37949 1 Jenkins 1 Orka By Macstadium 2023-12-10 N/A 7.1 HIGH
A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-39151 1 Jenkins 1 Jenkins 2023-12-10 N/A 5.4 MEDIUM
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
CVE-2023-41943 1 Jenkins 1 Aws Codecommit Trigger 2023-12-10 N/A 6.5 MEDIUM
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.
CVE-2023-37953 1 Jenkins 1 Mabl 2023-12-10 N/A 6.5 MEDIUM
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-3414 1 Jenkins 1 Servicenow Devops 2023-12-10 N/A 6.5 MEDIUM
A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.
CVE-2023-46652 1 Jenkins 1 Lambdatest-automation 2023-12-10 N/A 4.3 MEDIUM
A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins.
CVE-2023-40342 1 Jenkins 1 Flaky Test Handler 2023-12-10 N/A 5.4 MEDIUM
Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.
CVE-2023-37950 1 Jenkins 1 Mabl 2023-12-10 N/A 4.3 MEDIUM
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-40345 1 Jenkins 1 Delphix 2023-12-10 N/A 6.5 MEDIUM
Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.
CVE-2023-46651 1 Jenkins 1 Warnings 2023-12-10 N/A 6.5 MEDIUM
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.
CVE-2023-46653 1 Jenkins 1 Lambdatest-automation 2023-12-10 N/A 6.5 MEDIUM
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.
CVE-2023-41939 1 Jenkins 1 Ssh2 Easy 2023-12-10 N/A 8.8 HIGH
Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
CVE-2023-37963 1 Jenkins 1 Benchmark Evaluator 2023-12-10 N/A 5.4 MEDIUM
A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.
CVE-2023-46658 1 Jenkins 1 Msteams Webhook Trigger 2023-12-10 N/A 5.3 MEDIUM
Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
CVE-2023-46657 1 Jenkins 1 Gogs 2023-12-10 N/A 5.3 MEDIUM
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
CVE-2023-37946 1 Jenkins 1 Openshift Login 2023-12-10 N/A 8.8 HIGH
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.
CVE-2023-37955 1 Jenkins 1 Test Results Aggregator 2023-12-10 N/A 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2023-41931 1 Jenkins 1 Job Configuration History 2023-12-10 N/A 5.4 MEDIUM
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.
CVE-2023-40347 1 Jenkins 1 Maven Artifact Choicelistprovider \(nexus\) 2023-12-10 N/A 6.5 MEDIUM
Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.