Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-16 | CVE-2020-2276 | OS Command Injection vulnerability in Jenkins Selection Tasks 1.0 Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as. | 8.8 |
| 2020-09-16 | CVE-2020-2268 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Mongodb A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. | 8.8 |
| 2020-09-16 | CVE-2020-2261 | OS Command Injection vulnerability in Jenkins Perfecto Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller | 8.8 |
| 2020-09-01 | CVE-2020-2245 | XXE vulnerability in Jenkins Valgrind Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.1 |
| 2020-09-01 | CVE-2020-2241 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Database A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials. | 8.8 |
| 2020-09-01 | CVE-2020-2240 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Database A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts. | 8.8 |
| 2020-08-12 | CVE-2020-2232 | Cleartext Transmission of Sensitive Information vulnerability in Jenkins Email Extension 2.72/2.73 Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure. | 7.5 |
| 2020-07-15 | CVE-2020-2228 | Incorrect Authorization vulnerability in Jenkins Gitlab Authentication Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability. | 8.8 |
| 2020-07-02 | CVE-2020-2211 | Deserialization of Untrusted Data vulnerability in Jenkins Kubernetes CI Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 8.8 |
| 2020-06-03 | CVE-2020-2200 | OS Command Injection vulnerability in Jenkins Play Framework Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master. | 8.8 |