Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-11-15 CVE-2022-45401 Cross-site Scripting vulnerability in Jenkins Associated Files 0.2.1
Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
network
low complexity
jenkins CWE-79
5.4
2022-10-19 CVE-2022-43408 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline:Stage View
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
network
low complexity
jenkins CWE-352
6.5
2022-10-19 CVE-2022-43409 Cross-site Scripting vulnerability in Jenkins Pipeline: Supporting Apis 838.Va3A087B4055B
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
network
low complexity
jenkins CWE-79
5.4
2022-10-19 CVE-2022-43410 Unspecified vulnerability in Jenkins Mercurial
Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.
network
low complexity
jenkins
5.3
2022-10-19 CVE-2022-43411 Information Exposure Through Discrepancy vulnerability in Jenkins Gitlab
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
network
low complexity
jenkins CWE-203
5.3
2022-10-19 CVE-2022-43412 Information Exposure Through Discrepancy vulnerability in Jenkins Generic Webhook Trigger
Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
network
low complexity
jenkins CWE-203
5.3
2022-10-19 CVE-2022-43413 Missing Authorization vulnerability in Jenkins JOB Import
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
4.3
2022-10-19 CVE-2022-43414 Unspecified vulnerability in Jenkins Nunit
Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller.
network
low complexity
jenkins
5.3
2022-10-19 CVE-2022-43417 Missing Authorization vulnerability in Jenkins Katalon
Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
4.3
2022-10-19 CVE-2022-43418 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Katalon
A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-352
4.3