Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-12 | CVE-2022-46687 | Cross-site Scripting vulnerability in Jenkins Spring Config Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. | 5.4 |
| 2022-12-12 | CVE-2022-46688 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Sonar Gerrit A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | 6.5 |
| 2022-11-15 | CVE-2022-45380 | Cross-site Scripting vulnerability in Jenkins Junit Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
| 2022-11-15 | CVE-2022-45382 | Cross-site Scripting vulnerability in Jenkins Naginator 1.18.1 Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. | 5.4 |
| 2022-11-15 | CVE-2022-45383 | Incorrect Authorization vulnerability in Jenkins Support Core An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. | 6.5 |
| 2022-11-15 | CVE-2022-45384 | Insufficiently Protected Credentials vulnerability in Jenkins Reverse Proxy Auth Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | 6.5 |
| 2022-11-15 | CVE-2022-45386 | XXE vulnerability in Jenkins Violations 0.7.11 Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 5.5 |
| 2022-11-15 | CVE-2022-45387 | Cross-site Scripting vulnerability in Jenkins Bart 1.0.3 Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. | 5.4 |
| 2022-11-15 | CVE-2022-45389 | Missing Authorization vulnerability in Jenkins Xp-Dev 1.0 A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. | 5.3 |
| 2022-11-15 | CVE-2022-45390 | Missing Authorization vulnerability in Jenkins Loader.Io 1.0.1 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |