Filtered by vendor Jenkins Subscriptions
Total 1612 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-34781 1 Jenkins 1 Xebialabs Xl Release 2024-11-20 6.5 Medium
Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2022-34778 1 Jenkins 1 Testng Results 2024-11-20 5.4 Medium
Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.
CVE-2022-29047 2 Jenkins, Redhat 3 Pipeline\, Ocp Tools, Openshift 2024-11-20 5.3 Medium
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
CVE-2022-29048 2 Apple, Jenkins 2 Macos, Subversion 2024-11-20 4.3 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.
CVE-2022-27214 1 Jenkins 1 Release Helper 2024-11-19 4.3 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-25182 2 Jenkins, Redhat 2 Pipeline\, Openshift 2024-11-19 8.8 High
A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller JVM using specially crafted library names if a global Pipeline library is already configured.
CVE-2022-23118 1 Jenkins 1 Debian Package Builder 2024-11-19 8.8 High
Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.
CVE-2021-21633 1 Jenkins 1 Owasp Dependency-track 2024-11-19 8.8 High
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
CVE-2024-52553 1 Jenkins 1 Openid 2024-11-15 8.8 High
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.
CVE-2024-52554 1 Jenkins 1 Shared Library Version Override 2024-11-15 8.8 High
Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection.
CVE-2024-47803 2 Jenkins, Redhat 2 Jenkins, Ocp Tools 2024-11-13 4.3 Medium
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
CVE-2024-47805 1 Jenkins 1 Credentials 2024-11-13 7.5 High
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
CVE-2024-47804 2 Jenkins, Redhat 2 Jenkins, Ocp Tools 2024-11-13 4.3 Medium
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
CVE-2024-28160 1 Jenkins 1 Icescrum 2024-11-07 8.8 High
Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
CVE-2023-37942 1 Jenkins 1 External Monitor Job Type 2024-11-07 6.5 Medium
Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-37943 1 Jenkins 1 Active Directory 2024-11-07 5.9 Medium
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
CVE-2023-37944 1 Jenkins 1 Datadog 2024-11-07 6.5 Medium
A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-37951 1 Jenkins 1 Mabl 2024-11-07 6.5 Medium
Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
CVE-2023-37952 1 Jenkins 1 Mabl 2024-11-07 6.5 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins mabl Plugin 0.0.46 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-37945 1 Jenkins 1 Saml Single Sign On 2024-11-07 4.3 Medium
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.