Vulnerabilities > Jenkins > Jenkins > 1.129

DATE CVE VULNERABILITY TITLE RISK
2024-01-24 CVE-2024-23897 Unspecified vulnerability in Jenkins
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
network
low complexity
jenkins
critical
9.8
2023-10-10 CVE-2023-36478 Resource Exhaustion vulnerability in multiple products
Eclipse Jetty provides a web server and servlet container.
network
low complexity
eclipse jenkins debian CWE-400
7.5
2023-10-10 CVE-2023-44487 Resource Exhaustion vulnerability in multiple products
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
7.5
2023-09-20 CVE-2023-43495 Cross-site Scripting vulnerability in Jenkins
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.
network
low complexity
jenkins CWE-79
5.4
2023-09-20 CVE-2023-43496 Incorrect Default Permissions vulnerability in Jenkins
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
network
low complexity
jenkins CWE-276
8.8
2023-09-20 CVE-2023-43497 Unrestricted Upload of File with Dangerous Type vulnerability in Jenkins
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
network
low complexity
jenkins CWE-434
8.1
2023-09-20 CVE-2023-43498 Unspecified vulnerability in Jenkins
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
network
low complexity
jenkins
8.1
2023-07-26 CVE-2023-39151 Cross-site Scripting vulnerability in Jenkins
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
network
low complexity
jenkins CWE-79
5.4
2023-06-14 CVE-2023-35141 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins
In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions.
network
low complexity
jenkins CWE-352
8.0
2023-03-10 CVE-2023-27899 Incorrect Authorization vulnerability in Jenkins
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.
local
high complexity
jenkins CWE-863
7.0