Vulnerabilities > Jenkins > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-24 | CVE-2024-23897 | Unspecified vulnerability in Jenkins Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 |
| 2023-11-29 | CVE-2023-49656 | XXE vulnerability in Jenkins Matlab Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
| 2023-11-29 | CVE-2023-49654 | Missing Authorization vulnerability in Jenkins Matlab Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system. | 9.8 |
| 2023-03-10 | CVE-2023-27905 | Cross-site Scripting vulnerability in Jenkins Update-Center2 3.13/3.14 Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting. | 9.6 |
| 2023-03-10 | CVE-2023-27898 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances. | 9.6 |
| 2023-02-15 | CVE-2023-25765 | Unspecified vulnerability in Jenkins Email Extension In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
| 2023-01-26 | CVE-2023-24456 | Session Fixation vulnerability in Jenkins Keycloak Authentication Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | 9.8 |
| 2023-01-26 | CVE-2023-24444 | Improper Resource Shutdown or Release vulnerability in Jenkins Openid Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. | 9.8 |
| 2023-01-26 | CVE-2023-24443 | XXE vulnerability in Jenkins Testcomplete Support Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
| 2023-01-26 | CVE-2023-24441 | XXE vulnerability in Jenkins Mstest Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |