Filtered by vendor Jenkins
Subscribe
Total
1634 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32998 | 1 Jenkins | 1 Appspider | 2025-01-23 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | |||||
| CVE-2023-32997 | 1 Jenkins | 1 Cas | 2025-01-23 | N/A | 8.8 HIGH |
| Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-32994 | 1 Jenkins | 1 Saml Single Sign On | 2025-01-23 | N/A | 3.7 LOW |
| Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | |||||
| CVE-2023-32987 | 1 Jenkins | 1 Reverse Proxy Auth | 2025-01-23 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. | |||||
| CVE-2023-32980 | 1 Jenkins | 1 Email Extension | 2025-01-23 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job. | |||||
| CVE-2023-32979 | 1 Jenkins | 1 Email Extension | 2025-01-23 | N/A | 4.3 MEDIUM |
| Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system. | |||||
| CVE-2023-32978 | 1 Jenkins | 1 Lightweight Directory Access Protocol | 2025-01-23 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. | |||||
| CVE-2023-32977 | 1 Jenkins | 1 Pipeline\ | 2025-01-23 | N/A | 5.4 MEDIUM |
| Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. | |||||
| CVE-2023-35142 | 1 Jenkins | 1 Checkmarx | 2025-01-02 | N/A | 8.1 HIGH |
| Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default. | |||||
| CVE-2023-35144 | 1 Jenkins | 1 Maven Repository Server | 2025-01-02 | N/A | 5.4 MEDIUM |
| Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2023-35143 | 1 Jenkins | 1 Maven Repository Server | 2025-01-02 | N/A | 5.4 MEDIUM |
| Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`. | |||||
| CVE-2023-35141 | 1 Jenkins | 1 Jenkins | 2025-01-02 | N/A | 8.0 HIGH |
| In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu. | |||||
| CVE-2023-35145 | 1 Jenkins | 1 Sonargraph Integration | 2025-01-02 | N/A | 5.4 MEDIUM |
| Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-35148 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-31 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2023-35147 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-12-31 | N/A | 6.5 MEDIUM |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-35149 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2024-12-30 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2024-23897 | 1 Jenkins | 1 Jenkins | 2024-12-20 | N/A | 9.8 CRITICAL |
| Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-3315 | 1 Jenkins | 1 Team Concert | 2024-12-11 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | |||||
| CVE-2024-23905 | 1 Jenkins | 1 Red Hat Dependency Analytics | 2024-11-21 | N/A | 5.4 MEDIUM |
| Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2024-23904 | 1 Jenkins | 1 Log Command | 2024-11-21 | N/A | 7.5 HIGH |
| Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. | |||||