| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-46688 |
352 |
|
CSRF |
2022-12-12 |
2022-12-14 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. |
|
2 |
CVE-2022-46687 |
79 |
|
XSS |
2022-12-12 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. |
|
3 |
CVE-2022-46686 |
79 |
|
XSS |
2022-12-12 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. |
|
4 |
CVE-2022-46684 |
79 |
|
XSS |
2022-12-12 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability. |
|
5 |
CVE-2022-46683 |
601 |
|
|
2022-12-12 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. |
|
6 |
CVE-2022-46682 |
611 |
|
|
2022-12-12 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
7 |
CVE-2022-45401 |
79 |
|
XSS |
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
8 |
CVE-2022-45400 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
9 |
CVE-2022-45399 |
862 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. |
|
10 |
CVE-2022-45398 |
352 |
|
CSRF |
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. |
|
11 |
CVE-2022-45397 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
12 |
CVE-2022-45396 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
13 |
CVE-2022-45395 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
14 |
CVE-2022-45394 |
862 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. |
|
15 |
CVE-2022-45393 |
352 |
|
CSRF |
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. |
|
16 |
CVE-2022-45392 |
256 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. |
|
17 |
CVE-2022-45391 |
295 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. |
|
18 |
CVE-2022-45390 |
862 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
19 |
CVE-2022-45389 |
862 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. |
|
20 |
CVE-2022-45388 |
22 |
|
Dir. Trav. |
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system. |
|
21 |
CVE-2022-45387 |
79 |
|
XSS |
2022-11-15 |
2022-11-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. |
|
22 |
CVE-2022-45386 |
611 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
23 |
CVE-2022-45385 |
862 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. |
|
24 |
CVE-2022-45384 |
522 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. |
|
25 |
CVE-2022-45383 |
863 |
|
|
2022-11-15 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. |
|
26 |
CVE-2022-45382 |
79 |
|
XSS |
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. |
|
27 |
CVE-2022-45381 |
22 |
|
Dir. Trav. |
2022-11-15 |
2022-11-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. |
|
28 |
CVE-2022-45380 |
79 |
|
XSS |
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
29 |
CVE-2022-45379 |
326 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. |
|
30 |
CVE-2022-43435 |
|
|
|
2022-10-19 |
2022-10-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. |
|
31 |
CVE-2022-43434 |
693 |
|
|
2022-10-19 |
2022-10-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. |
|
32 |
CVE-2022-43433 |
693 |
|
|
2022-10-19 |
2022-10-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. |
|
33 |
CVE-2022-43432 |
|
|
|
2022-10-19 |
2022-10-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. |
|
34 |
CVE-2022-43431 |
862 |
|
|
2022-10-19 |
2022-10-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
35 |
CVE-2022-43430 |
611 |
|
|
2022-10-19 |
2022-10-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
36 |
CVE-2022-43427 |
862 |
|
|
2022-10-19 |
2022-10-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
37 |
CVE-2022-43426 |
549 |
|
|
2022-10-19 |
2022-10-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it. |
|
38 |
CVE-2022-43425 |
79 |
|
XSS |
2022-10-19 |
2022-10-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
39 |
CVE-2022-43421 |
862 |
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value. |
|
40 |
CVE-2022-43420 |
79 |
|
XSS |
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses. |
|
41 |
CVE-2022-43419 |
522 |
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. |
|
42 |
CVE-2022-43418 |
352 |
|
CSRF |
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
43 |
CVE-2022-43417 |
862 |
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
44 |
CVE-2022-43415 |
611 |
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
45 |
CVE-2022-43414 |
|
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. |
|
46 |
CVE-2022-43413 |
862 |
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
47 |
CVE-2022-43412 |
203 |
|
|
2022-10-19 |
2022-10-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. |
|
48 |
CVE-2022-43411 |
203 |
|
|
2022-10-19 |
2022-10-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. |
|
49 |
CVE-2022-43410 |
200 |
|
+Info |
2022-10-19 |
2022-11-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access. |
|
50 |
CVE-2022-43409 |
79 |
|
XSS |
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines. |
