Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-12 | CVE-2022-23110 | Cross-site Scripting vulnerability in Jenkins Publish Over SSH Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | 4.8 |
| 2022-01-12 | CVE-2022-23111 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Publish Over SSH A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. | 4.3 |
| 2022-01-12 | CVE-2022-23112 | Missing Authorization vulnerability in Jenkins Publish Over SSH A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials. | 6.5 |
| 2022-01-12 | CVE-2022-23113 | Path Traversal vulnerability in Jenkins Publish Over SSH Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files. | 4.3 |
| 2022-01-12 | CVE-2022-23115 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Batch Task Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task. | 5.4 |
| 2021-11-12 | CVE-2021-21699 | Cross-site Scripting vulnerability in Jenkins Active Choices Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2021-11-12 | CVE-2021-21700 | Cross-site Scripting vulnerability in Jenkins Scriptler 3.1/3.2/3.3 Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts. | 5.4 |
| 2021-11-12 | CVE-2021-21701 | XXE vulnerability in Jenkins Performance 3.20 Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 6.5 |
| 2021-11-12 | CVE-2021-43576 | XXE vulnerability in Jenkins Pom2Config 1.2 Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | 6.5 |
| 2021-10-06 | CVE-2021-21682 | Unspecified vulnerability in Jenkins Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. | 4.3 |