Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-37957 | 1 Jenkins | 1 Pipeline Restful Api | 2023-12-10 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token. | |||||
CVE-2023-37952 | 1 Jenkins | 1 Mabl | 2023-12-10 | N/A | 6.5 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins mabl Plugin 0.0.46 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-46655 | 1 Jenkins | 1 Cloudbees Cd | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server. | |||||
CVE-2023-40340 | 1 Jenkins | 1 Nodejs | 2023-12-10 | N/A | 7.5 HIGH |
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. | |||||
CVE-2023-41934 | 1 Jenkins | 1 Pipeline Maven Integration | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked. | |||||
CVE-2023-39154 | 1 Jenkins | 1 Qualys Web App Scanning Connector | 2023-12-10 | N/A | 6.5 MEDIUM |
Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-40349 | 1 Jenkins | 1 Gogs | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. | |||||
CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-40343 | 1 Jenkins | 1 Tuleap Authentication | 2023-12-10 | N/A | 5.9 MEDIUM |
Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token. | |||||
CVE-2023-39155 | 1 Jenkins | 1 Chef Identity | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it. | |||||
CVE-2023-40337 | 1 Jenkins | 1 Folders | 2023-12-10 | N/A | 4.3 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder. | |||||
CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2023-12-10 | N/A | 5.4 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2023-41946 | 1 Jenkins | 1 Frugal Testing | 2023-12-10 | N/A | 3.5 LOW |
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | |||||
CVE-2023-37962 | 1 Jenkins | 1 Benchmark Evaluator | 2023-12-10 | N/A | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system. | |||||
CVE-2023-46656 | 1 Jenkins | 1 Multibranch Scan Webhook Trigger | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||||
CVE-2023-41935 | 1 Jenkins | 1 Azure Ad | 2023-12-10 | N/A | 7.5 HIGH |
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce. | |||||
CVE-2023-41945 | 1 Jenkins | 1 Assembla Auth | 2023-12-10 | N/A | 8.8 HIGH |
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. | |||||
CVE-2023-40351 | 1 Jenkins | 1 Favorite View | 2023-12-10 | N/A | 4.3 MEDIUM |
A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar. | |||||
CVE-2023-37948 | 1 Jenkins | 1 Cloud Infrastructure Compute | 2023-12-10 | N/A | 3.7 LOW |
Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks. | |||||
CVE-2023-41947 | 1 Jenkins | 1 Frugal Testing | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials. |