Vulnerabilities > Jenkins > Jenkins > 2.263.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-24 | CVE-2024-23897 | Unspecified vulnerability in Jenkins Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 |
2024-01-24 | CVE-2024-23898 | Origin Validation Error vulnerability in Jenkins Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller. | 8.8 |
2023-10-10 | CVE-2023-36478 | Resource Exhaustion vulnerability in multiple products Eclipse Jetty provides a web server and servlet container. | 7.5 |
2023-10-10 | CVE-2023-44487 | Resource Exhaustion vulnerability in multiple products The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |
2023-09-20 | CVE-2023-43494 | Unspecified vulnerability in Jenkins Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. | 4.3 |
2023-09-20 | CVE-2023-43495 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. | 5.4 |
2023-09-20 | CVE-2023-43496 | Incorrect Default Permissions vulnerability in Jenkins Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. | 8.8 |
2023-09-20 | CVE-2023-43497 | Unrestricted Upload of File with Dangerous Type vulnerability in Jenkins In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | 8.1 |
2023-09-20 | CVE-2023-43498 | Unspecified vulnerability in Jenkins In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | 8.1 |
2023-07-26 | CVE-2023-39151 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. | 5.4 |