Filtered by vendor Jenkins
Subscriptions
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41933 | 1 Jenkins | 1 Job Configuration History | 2023-10-24 | 8.8 High |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-41932 | 1 Jenkins | 1 Job Configuration History | 2023-10-24 | 6.5 Medium |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'. | ||||
| CVE-2023-41931 | 1 Jenkins | 1 Job Configuration History | 2023-10-24 | 5.4 Medium |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability. | ||||
| CVE-2023-41930 | 1 Jenkins | 1 Job Configuration History | 2023-10-24 | 4.3 Medium |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. | ||||
| CVE-2023-40351 | 1 Jenkins | 1 Favorite View | 2023-10-24 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar. | ||||
| CVE-2023-40350 | 1 Jenkins | 1 Docker Swarm | 2023-10-24 | 5.4 Medium |
| Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker. | ||||
| CVE-2023-40349 | 1 Jenkins | 1 Gogs | 2023-10-24 | 5.3 Medium |
| Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. | ||||
| CVE-2023-40348 | 1 Jenkins | 1 Gogs | 2023-10-24 | 5.3 Medium |
| The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. | ||||
| CVE-2023-40347 | 1 Jenkins | 1 Maven Artifact Choicelistprovider \(nexus\) | 2023-10-24 | 6.5 Medium |
| Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | ||||
| CVE-2023-40346 | 1 Jenkins | 1 Shortcut Job | 2023-10-24 | 5.4 Medium |
| Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs. | ||||
| CVE-2023-40345 | 1 Jenkins | 1 Delphix | 2023-10-24 | 6.5 Medium |
| Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to. | ||||
| CVE-2023-40344 | 1 Jenkins | 1 Delphix | 2023-10-24 | 4.3 Medium |
| A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2023-40343 | 1 Jenkins | 1 Tuleap Authentication | 2023-10-24 | 5.9 Medium |
| Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token. | ||||
| CVE-2023-40342 | 1 Jenkins | 1 Flaky Test Handler | 2023-10-24 | 5.4 Medium |
| Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents. | ||||
| CVE-2023-40341 | 1 Jenkins | 1 Blue Ocean | 2023-10-24 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. | ||||
| CVE-2023-40340 | 1 Jenkins | 1 Nodejs | 2023-10-24 | 7.5 High |
| Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. | ||||
| CVE-2023-40339 | 1 Jenkins | 1 Config File Provider | 2023-10-24 | 7.5 High |
| Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | ||||
| CVE-2023-40337 | 1 Jenkins | 1 Folders | 2023-10-24 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder. | ||||
| CVE-2023-40336 | 1 Jenkins | 1 Folders | 2023-10-24 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders. | ||||
| CVE-2023-39156 | 1 Jenkins | 1 Bazaar | 2023-10-24 | 5.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags. | ||||