Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-22 | CVE-2023-28685 | XXE vulnerability in Jenkins Absint A3 Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.1 |
| 2023-03-10 | CVE-2023-27899 | Incorrect Authorization vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. | 7.0 |
| 2023-03-10 | CVE-2023-27900 | Allocation of Resources Without Limits or Throttling vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. | 7.5 |
| 2023-03-10 | CVE-2023-27901 | Allocation of Resources Without Limits or Throttling vulnerability in Jenkins Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. | 7.5 |
| 2023-02-15 | CVE-2023-25767 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Azure Credentials A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server. | 8.8 |
| 2023-01-26 | CVE-2023-24422 | OS Command Injection vulnerability in Jenkins Script Security A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 8.8 |
| 2023-01-26 | CVE-2023-24424 | Session Fixation vulnerability in Jenkins Openid Connect Authentication Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | 8.8 |
| 2023-01-26 | CVE-2023-24426 | Insufficient Session Expiration vulnerability in Jenkins Azure AD Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. | 8.8 |
| 2023-01-26 | CVE-2023-24432 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Orka BY Macstadium A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
| 2023-01-26 | CVE-2023-24434 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Github Pull Request Builder A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |