Vulnerabilities > Jenkins
|2022-12-12||CVE-2022-46682|| XXE vulnerability in Jenkins Plot |
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
| 9.8 |
|2022-12-12||CVE-2022-46683|| Open Redirect vulnerability in Jenkins Google Login 1.4 |
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
| 6.1 |
|2022-12-12||CVE-2022-46684|| Cross-site Scripting vulnerability in Jenkins Checkmarx |
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.
| 5.4 |
|2022-12-12||CVE-2022-46686|| Cross-site Scripting vulnerability in Jenkins Custom Build Properties |
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
| 5.4 |
|2022-12-12||CVE-2022-46687|| Cross-site Scripting vulnerability in Jenkins Spring Config |
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.
| 5.4 |
|2022-12-12||CVE-2022-46688|| Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Sonar Gerrit |
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
| 6.5 |
|2022-11-15||CVE-2022-38666|| Improper Certificate Validation vulnerability in Jenkins Ns-Nd Integration Performance Publisher |
Jenkins NS-ND Integration Performance Publisher Plugin 22.214.171.124 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.
| 7.5 |
|2022-11-15||CVE-2022-45379|| Inadequate Encryption Strength vulnerability in Jenkins Script Security |
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
| 7.5 |
|2022-11-15||CVE-2022-45380|| Cross-site Scripting vulnerability in Jenkins Junit |
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
| 5.4 |
|2022-11-15||CVE-2022-45381|| Path Traversal vulnerability in Jenkins Pipeline Utility Steps 2.13.1 |
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
| 8.1 |