Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-06 | CVE-2023-41939 | Improper Preservation of Permissions vulnerability in Jenkins Ssh2 Easy Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | 8.8 |
| 2023-09-06 | CVE-2023-41945 | Missing Authorization vulnerability in Jenkins Assembla Auth Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. | 8.8 |
| 2023-08-16 | CVE-2023-40336 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Folders A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders. | 8.8 |
| 2023-08-16 | CVE-2023-40339 | Unspecified vulnerability in Jenkins Config File Provider Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | 7.5 |
| 2023-08-16 | CVE-2023-40340 | Unspecified vulnerability in Jenkins Nodejs Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. | 7.5 |
| 2023-08-16 | CVE-2023-40341 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Blue Ocean A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. | 8.8 |
| 2023-07-26 | CVE-2023-3442 | Missing Authorization vulnerability in Jenkins Servicenow Devops A missing authorization vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. | 7.5 |
| 2023-07-12 | CVE-2023-37946 | Session Fixation vulnerability in Jenkins Openshift Login Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login. | 8.8 |
| 2023-07-12 | CVE-2023-37949 | Missing Authorization vulnerability in Jenkins Orka BY Macstadium A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 7.1 |
| 2023-07-12 | CVE-2023-37957 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline Restful API A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token. | 8.8 |