Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-12 | CVE-2022-23114 | Insufficiently Protected Credentials vulnerability in Jenkins Publish Over SSH Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 3.3 |
| 2022-01-12 | CVE-2022-23115 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Batch Task Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task. | 5.4 |
| 2022-01-12 | CVE-2022-23116 | Missing Encryption of Sensitive Data vulnerability in Jenkins Conjur Secrets Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. | 7.5 |
| 2022-01-12 | CVE-2022-23117 | Insufficiently Protected Credentials vulnerability in Jenkins Conjur Secrets Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller. | 7.5 |
| 2022-01-12 | CVE-2022-23118 | Exposure of Resource to Wrong Sphere vulnerability in Jenkins Debian Package Builder Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller. | 8.8 |
| 2021-11-12 | CVE-2021-21699 | Cross-site Scripting vulnerability in Jenkins Active Choices Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2021-11-12 | CVE-2021-21700 | Cross-site Scripting vulnerability in Jenkins Scriptler 3.1/3.2/3.3 Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts. | 5.4 |
| 2021-11-12 | CVE-2021-21701 | XXE vulnerability in Jenkins Performance 3.20 Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 6.5 |
| 2021-11-12 | CVE-2021-43576 | XXE vulnerability in Jenkins Pom2Config 1.2 Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | 6.5 |
| 2021-11-12 | CVE-2021-43577 | XXE vulnerability in Jenkins Owasp Dependency-Check Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.1 |