Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-06 | CVE-2023-41937 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Bitbucket Push and Pull Request Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. | 7.5 |
| 2023-09-06 | CVE-2023-41938 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins IVY A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. | 6.5 |
| 2023-09-06 | CVE-2023-41939 | Improper Preservation of Permissions vulnerability in Jenkins Ssh2 Easy 1.4 Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | 8.8 |
| 2023-09-06 | CVE-2023-41940 | Cross-site Scripting vulnerability in Jenkins TAP Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents. | 5.4 |
| 2023-09-06 | CVE-2023-41941 | Missing Authorization vulnerability in Jenkins AWS Codecommit Trigger 3.0.12 A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. | 4.3 |
| 2023-09-06 | CVE-2023-41942 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins AWS Codecommit Trigger 3.0.12 A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. | 4.3 |
| 2023-09-06 | CVE-2023-41943 | Missing Authorization vulnerability in Jenkins AWS Codecommit Trigger 3.0.12 Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. | 6.5 |
| 2023-09-06 | CVE-2023-41944 | Cross-site Scripting vulnerability in Jenkins AWS Codecommit Trigger 3.0.12 Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability. | 6.1 |
| 2023-09-06 | CVE-2023-41945 | Missing Authorization vulnerability in Jenkins Assembla Auth Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. | 8.8 |
| 2023-09-06 | CVE-2023-41946 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Frugal Testing 1.0/1.1 A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | 3.5 |