Filtered by vendor Jenkins
Subscriptions
Total
1606 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-34175 | 1 Jenkins | 1 Jenkins | 2024-08-03 | 7.5 High |
| Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. | ||||
| CVE-2022-34202 | 1 Jenkins | 1 Easyqa | 2024-08-03 | 6.5 Medium |
| Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | ||||
| CVE-2022-34206 | 1 Jenkins | 1 Jianliao Notification | 2024-08-03 | 4.3 Medium |
| A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. | ||||
| CVE-2022-34180 | 1 Jenkins | 1 Embeddable Build Status | 2024-08-03 | 7.5 High |
| Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. | ||||
| CVE-2022-34176 | 2 Jenkins, Redhat | 2 Junit, Openshift | 2024-08-03 | 5.4 Medium |
| Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. | ||||
| CVE-2022-34187 | 1 Jenkins | 1 Filesystem List Parameter | 2024-08-03 | 5.4 Medium |
| Jenkins Filesystem List Parameter Plugin 0.0.7 and earlier does not escape the name and description of File system objects list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-34178 | 1 Jenkins | 1 Embeddable Build Status | 2024-08-03 | 6.1 Medium |
| Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-34207 | 1 Jenkins | 1 Beaker Builder | 2024-08-03 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL. | ||||
| CVE-2022-34208 | 1 Jenkins | 1 Beaker Builder | 2024-08-03 | 4.3 Medium |
| A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2022-34177 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-08-03 | 7.5 High |
| Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. | ||||
| CVE-2022-34170 | 1 Jenkins | 1 Jenkins | 2024-08-03 | 5.4 Medium |
| In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | ||||
| CVE-2022-34183 | 1 Jenkins | 1 Agent Server Parameter | 2024-08-03 | 5.4 Medium |
| Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-34203 | 1 Jenkins | 1 Easyqa | 2024-08-03 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server. | ||||
| CVE-2022-34172 | 1 Jenkins | 1 Jenkins | 2024-08-03 | 5.4 Medium |
| In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-34171 | 1 Jenkins | 1 Jenkins | 2024-08-03 | 5.4 Medium |
| In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-34182 | 1 Jenkins | 1 Nested View | 2024-08-03 | 6.1 Medium |
| Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-34184 | 1 Jenkins | 1 Crx Content Package Deployer | 2024-08-03 | 5.4 Medium |
| Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description of CRX Content Package Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-34188 | 1 Jenkins | 1 Hidden Parameter | 2024-08-03 | 5.4 Medium |
| Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-34179 | 1 Jenkins | 1 Embeddable Build Status | 2024-08-03 | 7.5 High |
| Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system. | ||||
| CVE-2022-34174 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 7.5 High |
| In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | ||||