Vulnerabilities > Jenkins > Pipeline > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-05-16 CVE-2023-32977 Cross-site Scripting vulnerability in Jenkins Pipeline: JOB
Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.
network
low complexity
jenkins CWE-79
5.4
2023-02-15 CVE-2023-25762 Cross-site Scripting vulnerability in Jenkins Pipeline: Build Step
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.
network
low complexity
jenkins CWE-79
5.4
2022-10-19 CVE-2022-43408 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline:Stage View
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
network
low complexity
jenkins CWE-352
6.5
2022-10-19 CVE-2022-43409 Cross-site Scripting vulnerability in Jenkins Pipeline: Supporting Apis 838.Va3A087B4055B
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
network
low complexity
jenkins CWE-79
5.4
2022-04-12 CVE-2022-29047 Incorrect Authorization vulnerability in Jenkins Pipeline: Shared Groovy Libraries
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
network
low complexity
jenkins CWE-863
5.3
2022-03-29 CVE-2022-28156 Path Traversal vulnerability in Jenkins Pipeline: Phoenix Autotest
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace.
network
low complexity
jenkins CWE-22
6.5
2022-03-29 CVE-2022-28157 Path Traversal vulnerability in Jenkins Pipeline: Phoenix Autotest
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.
network
low complexity
jenkins CWE-22
6.5
2022-03-29 CVE-2022-28158 Missing Authorization vulnerability in Jenkins Pipeline: Phoenix Autotest
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
6.5
2022-02-15 CVE-2022-25176 Link Following vulnerability in Jenkins Pipeline: Groovy
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
network
low complexity
jenkins CWE-59
6.5
2022-02-15 CVE-2022-25177 Link Following vulnerability in Jenkins Pipeline:Shared Groovy Libraries
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
network
low complexity
jenkins CWE-59
6.5