Filtered by vendor Jenkins
Subscriptions
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24427 | 1 Jenkins | 1 Bitbucket Oauth | 2023-10-24 | 9.8 Critical |
| Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-24426 | 1 Jenkins | 1 Azure Ad | 2023-10-24 | 8.8 High |
| Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-24425 | 1 Jenkins | 1 Kubernetes Credentials Provider | 2023-10-24 | 6.5 Medium |
| Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to. | ||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2023-10-24 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-24423 | 1 Jenkins | 1 Gerrit Trigger | 2023-10-24 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit. | ||||
| CVE-2023-24422 | 1 Jenkins | 1 Script Security | 2023-10-24 | 8.8 High |
| A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2023-08-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2023-08-24 | 4.3 Medium |
| A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-4303 | 1 Jenkins | 1 Fortify | 2023-08-24 | 6.1 Medium |
| Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability. | ||||
| CVE-2023-3442 | 1 Jenkins | 1 Servicenow Devops | 2023-08-03 | 7.5 High |
| A missing authorization vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform. | ||||
| CVE-2023-3414 | 1 Jenkins | 1 Servicenow Devops | 2023-08-01 | 6.5 Medium |
| A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform. | ||||
| CVE-2022-2048 | 4 Debian, Eclipse, Jenkins and 1 more | 8 Debian Linux, Jetty, Jenkins and 5 more | 2023-07-24 | 7.5 High |
| In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. | ||||
| CVE-2023-2196 | 1 Jenkins | 1 Code Dx | 2023-05-25 | 4.3 Medium |
| A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system. | ||||
| CVE-2023-2631 | 1 Jenkins | 1 Code Dx | 2023-05-25 | 4.3 Medium |
| A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2023-2195 | 1 Jenkins | 1 Code Dx | 2023-05-25 | 3.5 Low |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL. | ||||
| CVE-2023-2633 | 1 Jenkins | 1 Code Dx | 2023-05-25 | 4.3 Medium |
| Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2023-2632 | 1 Jenkins | 1 Code Dx | 2023-05-25 | 4.3 Medium |
| Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2013-2033 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2023-02-13 | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2013-0329 | 1 Jenkins | 1 Jenkins | 2023-02-13 | N/A |
| Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors. | ||||
| CVE-2013-0328 | 1 Jenkins | 1 Jenkins | 2023-02-13 | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||