Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-01 | CVE-2020-2247 | XXE vulnerability in Jenkins Klocwork Analysis Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 6.5 |
| 2020-09-01 | CVE-2020-2246 | Cross-site Scripting vulnerability in Jenkins Valgrind Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents. | 5.4 |
| 2020-09-01 | CVE-2020-2244 | Cross-site Scripting vulnerability in Jenkins Build Failure Analyzer Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications. | 5.4 |
| 2020-09-01 | CVE-2020-2243 | Cross-site Scripting vulnerability in Jenkins Cadence Vmanager Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. | 5.4 |
| 2020-09-01 | CVE-2020-2242 | Missing Authorization vulnerability in Jenkins Database A missing permission check in Jenkins database Plugin 1.6 and earlier allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials. | 6.5 |
| 2020-09-01 | CVE-2020-2239 | Missing Encryption of Sensitive Data vulnerability in Jenkins Parameterized Remote Trigger Jenkins Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | 4.3 |
| 2020-09-01 | CVE-2020-2238 | Cross-site Scripting vulnerability in Jenkins GIT Parameter Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-08-12 | CVE-2020-2237 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Flaky Test Handler A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision. | 4.3 |
| 2020-08-12 | CVE-2020-2236 | Cross-site Scripting vulnerability in Jenkins YET Another Build Visualizer Jenkins Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission. | 5.4 |
| 2020-08-12 | CVE-2020-2235 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | 6.5 |