Vulnerabilities > Jenkins

DATE CVE VULNERABILITY TITLE RISK
2022-06-30 CVE-2022-34814 Incorrect Authorization vulnerability in Jenkins Request Rename or Delete
Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests.
network
low complexity
jenkins CWE-863
4.3
4.3
2022-06-30 CVE-2022-34815 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Request Rename or Delete
A cross-site request forgery (CSRF) vulnerability in Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier allows attackers to accept pending requests, thereby renaming or deleting jobs.
network
low complexity
jenkins CWE-352
4.3
4.3
2022-06-30 CVE-2022-34816 Insufficiently Protected Credentials vulnerability in Jenkins HPE Network Virtualization 1.0
Jenkins HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
network
low complexity
jenkins CWE-522
6.5
6.5
2022-06-30 CVE-2022-34817 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Failed JOB Deactivator
A cross-site request forgery (CSRF) vulnerability in Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier allows attackers to disable jobs.
network
low complexity
jenkins CWE-352
4.3
4.3
2022-06-30 CVE-2022-34818 Missing Authorization vulnerability in Jenkins Failed JOB Deactivator
Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.
network
low complexity
jenkins CWE-862
4.3
4.3
2022-06-23 CVE-2022-34170 Cross-site Scripting vulnerability in Jenkins 2.333/2.334
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
network
low complexity
jenkins CWE-79
5.4
5.4
2022-06-23 CVE-2022-34171 Cross-site Scripting vulnerability in Jenkins 2.333/2.334
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
5.4
5.4
2022-06-23 CVE-2022-34172 Cross-site Scripting vulnerability in Jenkins
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
5.4
5.4
2022-06-23 CVE-2022-34173 Cross-site Scripting vulnerability in Jenkins
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
network
low complexity
jenkins CWE-79
5.4
5.4
2022-06-23 CVE-2022-34174 Information Exposure Through Discrepancy vulnerability in Jenkins
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
network
low complexity
jenkins CWE-203
7.5
7.5