Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37961 | 1 Jenkins | 1 Assembla | 2023-12-10 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
| CVE-2023-37942 | 1 Jenkins | 1 External Monitor Job Type | 2023-12-10 | N/A | 6.5 MEDIUM |
| Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-41940 | 1 Jenkins | 1 Tap | 2023-12-10 | N/A | 5.4 MEDIUM |
| Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents. | |||||
| CVE-2023-41936 | 1 Jenkins | 1 Google Login | 2023-12-10 | N/A | 7.5 HIGH |
| Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | |||||
| CVE-2023-43498 | 1 Jenkins | 1 Jenkins | 2023-12-10 | N/A | 8.1 HIGH |
| In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | |||||
| CVE-2023-40339 | 1 Jenkins | 1 Config File Provider | 2023-12-10 | N/A | 7.5 HIGH |
| Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | |||||
| CVE-2023-41944 | 1 Jenkins | 1 Aws Codecommit Trigger | 2023-12-10 | N/A | 6.1 MEDIUM |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability. | |||||
| CVE-2023-43496 | 1 Jenkins | 1 Jenkins | 2023-12-10 | N/A | 8.8 HIGH |
| Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. | |||||
| CVE-2023-41930 | 1 Jenkins | 1 Job Configuration History | 2023-12-10 | N/A | 4.3 MEDIUM |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. | |||||
| CVE-2023-3442 | 1 Jenkins | 1 Servicenow Devops | 2023-12-10 | N/A | 7.5 HIGH |
| A missing authorization vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform. | |||||
| CVE-2023-40348 | 1 Jenkins | 1 Gogs | 2023-12-10 | N/A | 5.3 MEDIUM |
| The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. | |||||
| CVE-2023-37964 | 1 Jenkins | 1 Elasticbox Ci | 2023-12-10 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-41942 | 1 Jenkins | 1 Aws Codecommit Trigger | 2023-12-10 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. | |||||
| CVE-2023-46659 | 1 Jenkins | 1 Edgewall Trac | 2023-12-10 | N/A | 5.4 MEDIUM |
| Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-41937 | 1 Jenkins | 1 Bitbucket Push And Pull Request | 2023-12-10 | N/A | 7.5 HIGH |
| Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. | |||||
| CVE-2023-32985 | 1 Jenkins | 1 Sidebar Link | 2023-12-10 | N/A | 4.3 MEDIUM |
| Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | |||||
| CVE-2023-30520 | 1 Jenkins | 1 Quay.io Trigger | 2023-12-10 | N/A | 5.4 MEDIUM |
| Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads. | |||||
| CVE-2023-32999 | 1 Jenkins | 1 Appspider | 2023-12-10 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | |||||
| CVE-2023-32984 | 1 Jenkins | 1 Testng Results | 2023-12-10 | N/A | 5.4 MEDIUM |
| Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file. | |||||
| CVE-2023-32983 | 1 Jenkins | 1 Ansible | 2023-12-10 | N/A | 5.3 MEDIUM |
| Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. | |||||