Vulnerabilities > Jenkins

DATE CVE VULNERABILITY TITLE RISK
2022-12-12 CVE-2022-46682 XXE vulnerability in Jenkins Plot
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
network
low complexity
jenkins CWE-611
critical
9.8
2022-12-12 CVE-2022-46683 Open Redirect vulnerability in Jenkins Google Login 1.4
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
network
low complexity
jenkins CWE-601
6.1
2022-12-12 CVE-2022-46684 Cross-site Scripting vulnerability in Jenkins Checkmarx
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
5.4
2022-12-12 CVE-2022-46686 Cross-site Scripting vulnerability in Jenkins Custom Build Properties
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
network
low complexity
jenkins CWE-79
5.4
2022-12-12 CVE-2022-46687 Cross-site Scripting vulnerability in Jenkins Spring Config
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.
network
low complexity
jenkins CWE-79
5.4
2022-12-12 CVE-2022-46688 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Sonar Gerrit
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-352
6.5
2022-11-15 CVE-2022-38666 Improper Certificate Validation vulnerability in Jenkins Ns-Nd Integration Performance Publisher
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.
network
low complexity
jenkins CWE-295
7.5
2022-11-15 CVE-2022-45379 Inadequate Encryption Strength vulnerability in Jenkins Script Security
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
network
low complexity
jenkins CWE-326
7.5
2022-11-15 CVE-2022-45380 Cross-site Scripting vulnerability in Jenkins Junit
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
network
low complexity
jenkins CWE-79
5.4
2022-11-15 CVE-2022-45381 Path Traversal vulnerability in Jenkins Pipeline Utility Steps 2.13.1
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
network
low complexity
jenkins CWE-22
8.1