Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.07%
Published
2024-01-24
Updated
2024-05-14
A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-12-13
Updated
2023-12-18
A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.
Source: Jenkins Project
Max CVSS
8.1
EPSS Score
0.06%
Published
2023-12-13
Updated
2023-12-18
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-12-13
Updated
2023-12-18
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-12-13
Updated
2023-12-18
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
Source: Jenkins Project
Max CVSS
8.1
EPSS Score
0.05%
Published
2023-12-13
Updated
2023-12-18
A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-11-29
Updated
2023-12-05
A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-11-29
Updated
2023-12-05
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
Source: Jenkins Project
Max CVSS
8.1
EPSS Score
0.05%
Published
2023-10-25
Updated
2023-11-01
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-09-20
Updated
2023-09-22
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
Source: Jenkins Project
Max CVSS
8.1
EPSS Score
0.05%
Published
2023-09-20
Updated
2023-09-23
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
Source: Jenkins Project
Max CVSS
8.1
EPSS Score
0.05%
Published
2023-09-20
Updated
2023-09-23
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-09-20
Updated
2023-09-23
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-09-06
Updated
2023-09-11
Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-09-06
Updated
2023-09-11
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-09-06
Updated
2023-09-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-08-16
Updated
2023-08-18
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-08-16
Updated
2023-08-22
A cross-site request forgery (CSRF) vulnerability in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-07-12
Updated
2023-07-20
A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-07-12
Updated
2023-07-20
A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-07-12
Updated
2023-07-20
A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-07-12
Updated
2023-07-20
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-07-12
Updated
2023-07-20
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.
Source: Jenkins Project
Max CVSS
8.8
EPSS Score
0.09%
Published
2023-07-12
Updated
2023-07-26
Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.
Source: Jenkins Project
Max CVSS
8.1
EPSS Score
0.13%
Published
2023-06-14
Updated
2023-06-23
316 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!