Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-15 | CVE-2023-25764 | Cross-site Scripting vulnerability in Jenkins Email Extension Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates. | 5.4 |
| 2023-02-15 | CVE-2023-25765 | Unspecified vulnerability in Jenkins Email Extension In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
| 2023-02-15 | CVE-2023-25766 | Missing Authorization vulnerability in Jenkins Azure Credentials A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
| 2023-02-15 | CVE-2023-25767 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Azure Credentials A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server. | 8.8 |
| 2023-02-15 | CVE-2023-25768 | Missing Authorization vulnerability in Jenkins Azure Credentials A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | 6.5 |
| 2023-01-26 | CVE-2023-24422 | OS Command Injection vulnerability in Jenkins Script Security A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 8.8 |
| 2023-01-26 | CVE-2023-24423 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Gerrit Trigger A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit. | 6.5 |
| 2023-01-26 | CVE-2023-24424 | Session Fixation vulnerability in Jenkins Openid Connect Authentication Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | 8.8 |
| 2023-01-26 | CVE-2023-24425 | Unspecified vulnerability in Jenkins Kubernetes Credentials Provider Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to. | 6.5 |
| 2023-01-26 | CVE-2023-24426 | Insufficient Session Expiration vulnerability in Jenkins Azure AD Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. | 8.8 |