Vulnerabilities > Jenkins > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-10-19 CVE-2022-43403 Unspecified vulnerability in Jenkins Script Security
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
network
low complexity
jenkins
critical
9.9
2022-10-19 CVE-2022-43404 Unspecified vulnerability in Jenkins Script Security
A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
network
low complexity
jenkins
critical
9.9
2022-10-19 CVE-2022-43405 Unspecified vulnerability in Jenkins Groovy Libraries
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
network
low complexity
jenkins
critical
9.9
2022-10-19 CVE-2022-43406 Unspecified vulnerability in Jenkins Groovy Libraries
A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
network
low complexity
jenkins
critical
9.9
2022-09-21 CVE-2022-41226 XXE vulnerability in Jenkins Compuware Common Configuration
Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
network
low complexity
jenkins CWE-611
critical
9.8
2022-09-21 CVE-2022-41237 Unspecified vulnerability in Jenkins Dotci
Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
network
low complexity
jenkins
critical
9.8
2022-09-21 CVE-2022-41238 Missing Authorization vulnerability in Jenkins Dotci
A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.
network
low complexity
jenkins CWE-862
critical
9.8
2022-09-21 CVE-2022-41241 XXE vulnerability in Jenkins RQM
Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
network
low complexity
jenkins CWE-611
critical
9.1
2022-06-23 CVE-2022-34181 Unspecified vulnerability in Jenkins Xunit
Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.
network
low complexity
jenkins
critical
9.1
2021-11-04 CVE-2021-21685 Missing Authorization vulnerability in Jenkins
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
network
low complexity
jenkins CWE-862
critical
9.1