Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-06 | CVE-2023-41936 | Incorrect Comparison vulnerability in Jenkins Google Login Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | 7.5 |
| 2023-09-06 | CVE-2023-41937 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Bitbucket Push and Pull Request Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. | 7.5 |
| 2023-09-06 | CVE-2023-41938 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins IVY A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. | 6.5 |
| 2023-09-06 | CVE-2023-41939 | Improper Preservation of Permissions vulnerability in Jenkins Ssh2 Easy Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | 8.8 |
| 2023-09-06 | CVE-2023-41940 | Cross-site Scripting vulnerability in Jenkins TAP Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents. | 5.4 |
| 2023-09-06 | CVE-2023-41941 | Missing Authorization vulnerability in Jenkins AWS Codecommit Trigger A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. | 4.3 |
| 2023-09-06 | CVE-2023-41942 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins AWS Codecommit Trigger A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. | 4.3 |
| 2023-09-06 | CVE-2023-41943 | Missing Authorization vulnerability in Jenkins AWS Codecommit Trigger Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. | 6.5 |
| 2023-09-06 | CVE-2023-41944 | Cross-site Scripting vulnerability in Jenkins AWS Codecommit Trigger Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability. | 6.1 |
| 2023-09-06 | CVE-2023-41945 | Missing Authorization vulnerability in Jenkins Assembla Auth Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. | 8.8 |