Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-29 | CVE-2022-28155 | XXE vulnerability in Jenkins Pipeline: Phoenix Autotest Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.1 |
| 2022-03-15 | CVE-2022-27198 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Cloudbees AWS Credentials A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. | 8.0 |
| 2022-03-15 | CVE-2022-27204 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Extended Choice Parameter 346.Vd87693C5A86C A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL. | 8.8 |
| 2022-02-15 | CVE-2022-25173 | OS Command Injection vulnerability in Jenkins Pipeline: Groovy Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. | 8.8 |
| 2022-02-15 | CVE-2022-25174 | OS Command Injection vulnerability in Jenkins Pipeline:Shared Groovy Libraries Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. | 8.8 |
| 2022-02-15 | CVE-2022-25175 | OS Command Injection vulnerability in Jenkins Pipeline: Multibranch Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. | 8.8 |
| 2022-02-15 | CVE-2022-25181 | Unspecified vulnerability in Jenkins Pipeline:Shared Groovy Libraries A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists. | 8.8 |
| 2022-02-15 | CVE-2022-25182 | Unspecified vulnerability in Jenkins Pipeline:Shared Groovy Libraries A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller JVM using specially crafted library names if a global Pipeline library is already configured. | 8.8 |
| 2022-02-15 | CVE-2022-25183 | Unspecified vulnerability in Jenkins Pipeline:Shared Groovy Libraries Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists. | 8.8 |
| 2022-02-15 | CVE-2022-25192 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Snow Commander A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |