CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-46688 352 CSRF 2022-12-12 2022-12-14
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
2 CVE-2022-46687 79 XSS 2022-12-12 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.
3 CVE-2022-46686 79 XSS 2022-12-12 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
4 CVE-2022-46684 79 XSS 2022-12-12 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.
5 CVE-2022-46683 601 2022-12-12 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
6 CVE-2022-46682 611 2022-12-12 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
7 CVE-2022-45401 79 XSS 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
8 CVE-2022-45400 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
9 CVE-2022-45399 862 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.
10 CVE-2022-45398 352 CSRF 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.
11 CVE-2022-45397 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
12 CVE-2022-45396 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
13 CVE-2022-45395 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
14 CVE-2022-45394 862 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.
15 CVE-2022-45393 352 CSRF 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.
16 CVE-2022-45392 256 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
17 CVE-2022-45391 295 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
18 CVE-2022-45390 862 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
19 CVE-2022-45389 862 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.
20 CVE-2022-45388 22 Dir. Trav. 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.
21 CVE-2022-45387 79 XSS 2022-11-15 2022-11-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.
22 CVE-2022-45386 611 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
23 CVE-2022-45385 862 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
24 CVE-2022-45384 522 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
25 CVE-2022-45383 863 2022-11-15 2022-11-21
0.0
None ??? ??? ??? ??? ??? ???
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.
26 CVE-2022-45382 79 XSS 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.
27 CVE-2022-45381 22 Dir. Trav. 2022-11-15 2022-11-29
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
28 CVE-2022-45380 79 XSS 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
29 CVE-2022-45379 326 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
30 CVE-2022-43435 2022-10-19 2022-10-24
0.0
None ??? ??? ??? ??? ??? ???
Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
31 CVE-2022-43434 693 2022-10-19 2022-10-24
0.0
None ??? ??? ??? ??? ??? ???
Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
32 CVE-2022-43433 693 2022-10-19 2022-10-23
0.0
None ??? ??? ??? ??? ??? ???
Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
33 CVE-2022-43432 2022-10-19 2022-10-23
0.0
None ??? ??? ??? ??? ??? ???
Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
34 CVE-2022-43431 862 2022-10-19 2022-10-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
35 CVE-2022-43430 611 2022-10-19 2022-10-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
36 CVE-2022-43427 862 2022-10-19 2022-10-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
37 CVE-2022-43426 549 2022-10-19 2022-10-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.
38 CVE-2022-43425 79 XSS 2022-10-19 2022-10-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
39 CVE-2022-43421 862 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value.
40 CVE-2022-43420 79 XSS 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.
41 CVE-2022-43419 522 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
42 CVE-2022-43418 352 CSRF 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
43 CVE-2022-43417 862 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
44 CVE-2022-43415 611 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
45 CVE-2022-43414 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller.
46 CVE-2022-43413 862 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
47 CVE-2022-43412 203 2022-10-19 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
48 CVE-2022-43411 203 2022-10-19 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
49 CVE-2022-43410 200 +Info 2022-10-19 2022-11-03
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.
50 CVE-2022-43409 79 XSS 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
Total number of vulnerabilities : 134   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.