Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-08-07 CVE-2024-43045 Missing Authorization vulnerability in Jenkins
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".
network
low complexity
jenkins CWE-862
6.3
2024-01-24 CVE-2024-23899 Unspecified vulnerability in Jenkins GIT Server 99.Va0826Abcdfad
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
network
low complexity
jenkins
6.5
2024-01-24 CVE-2024-23900 Unspecified vulnerability in Jenkins Matrix Project
Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.
network
low complexity
jenkins
4.3
2024-01-24 CVE-2024-23901 Unspecified vulnerability in Jenkins Github Branch Source
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group.
network
low complexity
jenkins
6.5
2024-01-24 CVE-2024-23902 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Github Branch Source
A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.
network
low complexity
jenkins CWE-352
4.3
2024-01-24 CVE-2024-23903 Incorrect Comparison vulnerability in Jenkins Github Branch Source
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
network
low complexity
jenkins CWE-697
5.3
2024-01-24 CVE-2024-23905 Cross-site Scripting vulnerability in Jenkins RED HAT Dependency Analytics 0.7.0/0.7.1
Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc.
network
low complexity
jenkins CWE-79
5.4
2023-12-13 CVE-2023-50765 Missing Authorization vulnerability in Jenkins Scriptler
A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.
network
low complexity
jenkins CWE-862
4.3
2023-12-13 CVE-2023-50767 Missing Authorization vulnerability in Jenkins Nexus Platform 3.18.003
Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.
network
low complexity
jenkins CWE-862
5.4
2023-12-13 CVE-2023-50769 Missing Authorization vulnerability in Jenkins Nexus Platform 3.18.003
Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
4.3