Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-16 | CVE-2020-2258 | Incorrect Authorization vulnerability in Jenkins Health Advisor BY Cloudbees Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint. | 4.3 |
| 2020-09-16 | CVE-2020-2257 | Cross-site Scripting vulnerability in Jenkins Validating String Parameter Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2256 | Cross-site Scripting vulnerability in Jenkins Pipeline Maven Integration Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2255 | Missing Authorization vulnerability in Jenkins Blue Ocean A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | 4.3 |
| 2020-09-16 | CVE-2020-2254 | Path Traversal vulnerability in Jenkins Blue Ocean Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system. | 6.5 |
| 2020-09-16 | CVE-2020-2253 | Improper Certificate Validation vulnerability in Jenkins Email Extension Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. | 4.8 |
| 2020-09-16 | CVE-2020-2252 | Improper Certificate Validation vulnerability in Jenkins Mailer Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. | 4.8 |
| 2020-09-01 | CVE-2020-2251 | Cleartext Transmission of Sensitive Information vulnerability in Jenkins and Soapui PRO Functional Testing Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. | 4.3 |
| 2020-09-01 | CVE-2020-2250 | Missing Encryption of Sensitive Data vulnerability in Jenkins Soapui PRO Functional Testing Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. | 6.5 |
| 2020-09-01 | CVE-2020-2248 | Cross-site Scripting vulnerability in Jenkins Jsgames 0.1/0.2 Jenkins JSGames Plugin 0.2 and earlier evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability. | 6.1 |