Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-12 | CVE-2022-29047 | Incorrect Authorization vulnerability in Jenkins Pipeline: Shared Groovy Libraries Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them. | 5.3 |
| 2022-04-12 | CVE-2022-29048 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL. | 4.3 |
| 2022-04-12 | CVE-2022-29049 | Cross-site Scripting vulnerability in Jenkins Promoted Builds Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name. | 5.4 |
| 2022-04-12 | CVE-2022-29051 | Missing Authorization vulnerability in Jenkins Publish Over FTP Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. | 4.3 |
| 2022-04-12 | CVE-2022-29052 | Insufficiently Protected Credentials vulnerability in Jenkins Google Compute Engine Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | 4.3 |
| 2022-03-29 | CVE-2022-28133 | Cross-site Scripting vulnerability in Jenkins Bitbucket Server Integration Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. | 5.4 |
| 2022-03-29 | CVE-2022-28134 | Missing Authorization vulnerability in Jenkins Bitbucket Server Integration Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. | 5.4 |
| 2022-03-29 | CVE-2022-28135 | Insufficiently Protected Credentials vulnerability in Jenkins Instant-Messaging Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 6.5 |
| 2022-03-29 | CVE-2022-28137 | Missing Authorization vulnerability in Jenkins Jiratestresultreporter A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | 4.3 |
| 2022-03-29 | CVE-2022-28138 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Rocketchat Notifier A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential. | 4.3 |