Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-02 | CVE-2024-47803 | Information Exposure Through an Error Message vulnerability in Jenkins Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field. | 4.3 |
| 2024-10-02 | CVE-2024-47804 | Unspecified vulnerability in Jenkins If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction. | 4.3 |
| 2024-08-07 | CVE-2024-43045 | Missing Authorization vulnerability in Jenkins Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views". | 6.3 |
| 2024-03-06 | CVE-2024-28153 | Cross-site Scripting vulnerability in Jenkins Owasp Dependency-Check Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability. | 5.4 |
| 2024-03-06 | CVE-2024-28154 | Unspecified vulnerability in Jenkins MQ Notifier Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default. | 6.5 |
| 2024-03-06 | CVE-2024-28155 | Missing Authorization vulnerability in Jenkins Appspider Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. | 4.3 |
| 2024-03-06 | CVE-2024-28156 | Cross-site Scripting vulnerability in Jenkins Build Monitor View Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views. | 5.4 |
| 2024-01-24 | CVE-2024-23899 | Unspecified vulnerability in Jenkins GIT Server 99.Va0826Abcdfad Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system. | 6.5 |
| 2024-01-24 | CVE-2024-23900 | Unspecified vulnerability in Jenkins Matrix Project Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers. | 4.3 |
| 2024-01-24 | CVE-2024-23901 | Unspecified vulnerability in Jenkins Github Branch Source Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group. | 6.5 |