Vulnerabilities > Jenkins > High

DATE CVE VULNERABILITY TITLE RISK
2023-11-29 CVE-2023-49673 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins products
A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
network
low complexity
jenkins CWE-352
8.8
2023-10-25 CVE-2023-46654 Link Following vulnerability in Jenkins Cloudbees CD
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
network
low complexity
jenkins CWE-59
8.1
2023-10-10 CVE-2023-36478 Eclipse Jetty provides a web server and servlet container.
network
low complexity
eclipse jenkins debian
7.5
2023-10-10 CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. 7.5
2023-09-20 CVE-2023-43496 Incorrect Default Permissions vulnerability in Jenkins
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
network
low complexity
jenkins CWE-276
8.8
2023-09-20 CVE-2023-43497 Unrestricted Upload of File with Dangerous Type vulnerability in Jenkins
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
network
low complexity
jenkins CWE-434
8.1
2023-09-20 CVE-2023-43498 Unspecified vulnerability in Jenkins
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
network
low complexity
jenkins
8.1
2023-09-20 CVE-2023-43500 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
network
low complexity
jenkins CWE-352
8.8
2023-09-06 CVE-2023-41933 XXE vulnerability in Jenkins JOB Configuration History
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
network
low complexity
jenkins CWE-611
8.8
2023-09-06 CVE-2023-41935 Incorrect Comparison vulnerability in Jenkins Azure AD
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
network
low complexity
jenkins CWE-697
7.5