Vulnerabilities > Jenkins > Jenkins > 2.22
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-10 | CVE-2023-27900 | Allocation of Resources Without Limits or Throttling vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. | 7.5 |
| 2023-03-10 | CVE-2023-27901 | Allocation of Resources Without Limits or Throttling vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. | 7.5 |
| 2023-03-10 | CVE-2023-27902 | Unspecified vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents. | 4.3 |
| 2023-03-10 | CVE-2023-27903 | Incorrect Authorization vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used. | 4.4 |
| 2023-03-10 | CVE-2023-27904 | Unspecified vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. | 5.3 |
| 2022-07-07 | CVE-2022-2048 | In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. | 7.5 |
| 2022-06-23 | CVE-2022-34174 | Information Exposure Through Discrepancy vulnerability in Jenkins In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | 7.5 |
| 2022-02-09 | CVE-2022-0538 | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. | 7.5 |
| 2022-01-12 | CVE-2022-20612 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. | 4.3 |
| 2021-11-04 | CVE-2021-21685 | Missing Authorization vulnerability in Jenkins Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs. | 9.1 |