Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-15 | CVE-2022-25212 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Swamp A cross-site request forgery (CSRF) vulnerability in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials. | 8.8 |
| 2022-02-09 | CVE-2022-0538 | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. | 7.5 |
| 2022-01-12 | CVE-2022-20617 | OS Command Injection vulnerability in Jenkins Docker Commons Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository. | 8.8 |
| 2022-01-12 | CVE-2022-20619 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 7.1 |
| 2022-01-12 | CVE-2022-23107 | Path Traversal vulnerability in Jenkins Warnings Next Generation Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system. | 8.1 |
| 2022-01-12 | CVE-2022-23116 | Missing Encryption of Sensitive Data vulnerability in Jenkins Conjur Secrets Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. | 7.5 |
| 2022-01-12 | CVE-2022-23117 | Insufficiently Protected Credentials vulnerability in Jenkins Conjur Secrets Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller. | 7.5 |
| 2022-01-12 | CVE-2022-23118 | Exposure of Resource to Wrong Sphere vulnerability in Jenkins Debian Package Builder Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller. | 8.8 |
| 2021-11-12 | CVE-2021-43577 | XXE vulnerability in Jenkins Owasp Dependency-Check Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.1 |
| 2021-11-12 | CVE-2021-43578 | Unspecified vulnerability in Jenkins Squash TM Publisher 1.0.0 Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string. | 8.1 |