Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-29 | CVE-2023-49673 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins products A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | 8.8 |
| 2023-10-25 | CVE-2023-46654 | Link Following vulnerability in Jenkins Cloudbees CD Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system. | 8.1 |
| 2023-10-10 | CVE-2023-36478 | Resource Exhaustion vulnerability in multiple products Eclipse Jetty provides a web server and servlet container. | 7.5 |
| 2023-10-10 | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |
| 2023-09-20 | CVE-2023-43496 | Incorrect Default Permissions vulnerability in Jenkins Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. | 8.8 |
| 2023-09-20 | CVE-2023-43497 | Unrestricted Upload of File with Dangerous Type vulnerability in Jenkins In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | 8.1 |
| 2023-09-20 | CVE-2023-43498 | Unspecified vulnerability in Jenkins In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. | 8.1 |
| 2023-09-20 | CVE-2023-43500 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. | 8.8 |
| 2023-09-06 | CVE-2023-41933 | XXE vulnerability in Jenkins JOB Configuration History Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.8 |
| 2023-09-06 | CVE-2023-41935 | Incorrect Comparison vulnerability in Jenkins Azure AD Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce. | 7.5 |