Vulnerabilities > Jenkins > Low
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-11-29 | CVE-2023-49652 | Missing Authorization vulnerability in Jenkins Google Compute Engine Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. | 2.7 |
2023-09-06 | CVE-2023-41946 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Frugal Testing 1.0/1.1 A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | 3.5 |
2023-07-12 | CVE-2023-37948 | Improper Input Validation vulnerability in Jenkins Cloud Infrastructure Compute Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks. | 3.7 |
2023-05-16 | CVE-2023-2195 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Code DX A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL. | 3.5 |
2023-05-16 | CVE-2023-32994 | Improper Certificate Validation vulnerability in Jenkins Saml Single Sign on Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | 3.7 |
2023-02-15 | CVE-2023-23847 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Synopsys Coverity A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 3.5 |
2022-11-15 | CVE-2022-45393 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Delete LOG 1.0 A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. | 3.5 |
2022-01-12 | CVE-2022-23114 | Insufficiently Protected Credentials vulnerability in Jenkins Publish Over SSH Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 3.3 |
2020-10-08 | CVE-2020-2297 | Insufficiently Protected Credentials vulnerability in Jenkins SMS Notification 1.0.1/1.1/1.2 Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 3.3 |
2020-10-08 | CVE-2020-2291 | Insufficiently Protected Credentials vulnerability in Jenkins Couchdb-Statistics Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 3.3 |