Latest Jenkins Vulnerabilities

CVE-2023-40057
SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution
SolarWinds Access Rights Manager=2023.2.3
Jetbrains Teamcity
SonicWall firewall
Perforce Helix Core Server
and 1 more
CVE-2024-23477
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability
SolarWinds Access Rights Manager=2023.2.3
Jetbrains Teamcity
SonicWall firewall
Perforce Helix Core Server
and 1 more
CVE-2024-23476
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability
SolarWinds Access Rights Manager=2023.2.3
Jetbrains Teamcity
SonicWall firewall
Perforce Helix Core Server
and 1 more
CVE-2024-23478
SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution
SolarWinds Access Rights Manager=2023.2.3
Jetbrains Teamcity
SonicWall firewall
Perforce Helix Core Server
and 1 more
CVE-2024-23479
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability
SolarWinds Access Rights Manager=2023.2.3
Jetbrains Teamcity
SonicWall firewall
Perforce Helix Core Server
and 1 more
CVE-2024-23905
Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenki...
maven/io.jenkins.plugins:redhat-dependency-analytics<0.9.0
Jenkins Red Hat Dependency Analytics<=0.7.1
CVE-2024-23904
Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing u...
maven/org.jenkins-ci.plugins:log-command<=1.0.2
Jenkins Log Command<=1.0.2
CVE-2024-23902
A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.
maven/io.jenkins.plugins:gitlab-branch-source<688.v5fa
Jenkins Github Branch Source<=684.vea_fa_7c1e2fe3
CVE-2024-23903
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This coul...
maven/io.jenkins.plugins:gitlab-branch-source<688.v5fa
Jenkins Github Branch Source<=684.vea_fa_7c1e2fe3
CVE-2024-23901
GitLab allows sharing a project with another group. Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner gr...
maven/io.jenkins.plugins:gitlab-branch-source<688.v5fa
Jenkins Github Branch Source<=684.vea_fa_7c1e2fe3
CVE-2024-23899
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's conten...
maven/org.jenkins-ci.plugins:git-server<99.101.v720e86326c09
Jenkins Git Server<=99.va_0826a_b_cdfa_d
CVE-2024-23900
Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the `config.xml` REST API endpoint. This allow...
maven/org.jenkins-ci.plugins:matrix-project<822.824.v14451b
Jenkins Matrix Project Jenkins<=822.v01b_8c85d16d2
CVE-2024-23898
Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through ...
Jenkins Jenkins=2.442
Jenkins Jenkins=LTS 2.426.3
redhat/Jenkins<2.442
redhat/Jenkins LTS<2.426.3
maven/org.jenkins-ci.main:jenkins-core>=2.427<=2.440
maven/org.jenkins-ci.main:jenkins-core>=2.217<=2.426.2
and 5 more
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, ...
Jenkins CI/CD=2.442
Jenkins CI/CD=LTS 2.426.3
Jenkins Jenkins<2.426.3
Jenkins Jenkins<2.442
maven/org.jenkins-ci.main:jenkins-core>=2.427<2.440.1
maven/org.jenkins-ci.main:jenkins-core=2.441
and 3 more
CVE-2023-50779
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Jenkins Paaslane Estimate<=1.0.4
maven/com.cloudtp.jenkins:paaslane-estimate<=1.0.4
CVE-2023-50778
A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token.
Jenkins Paaslane Estimate<=1.0.4
maven/com.cloudtp.jenkins:paaslane-estimate<=1.0.4
CVE-2023-50777
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture t...
Jenkins Paaslane Estimate<=1.0.4
maven/com.cloudtp.jenkins:paaslane-estimate<=1.0.4
CVE-2023-50776
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Exten...
Jenkins Paaslane Estimate<=1.0.4
maven/com.cloudtp.jenkins:paaslane-estimate<=1.0.4
CVE-2023-50774
A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.
Jenkins Html Resource=1.01
Jenkins Html Resource=1.02
maven/org.jenkins-ci.plugins:htmlresource<=1.02
CVE-2023-50775
A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.
Jenkins Deployment Dashboard<=1.0.10
maven/org.jenkins-ci.plugins:ec2-deployment-dashboard<=1.0.10
CVE-2023-50773
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Jenkins Dingding Json Pusher<=2.0
maven/com.zintow:dingding-json-pusher<=2.0
CVE-2023-50771
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Jenkins Openid<=2.6
maven/org.jenkins-ci.plugins:oic-auth<=2.6
CVE-2023-50772
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permiss...
Jenkins Dingding Json Pusher<=2.0
maven/com.zintow:dingding-json-pusher<=2.0
CVE-2023-50770
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Je...
Jenkins Openid<=2.6
maven/org.jenkins-ci.plugins:oic-auth<=2.6
CVE-2023-50769
Jenkins Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an att...
Jenkins Nexus Platform<=3.18.0-03
maven/org.sonatype.nexus.ci:nexus-jenkins-plugin<3.18.1-01
CVE-2023-50768
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified crede...
Jenkins Nexus Platform<=3.18.0-03
maven/org.sonatype.nexus.ci:nexus-jenkins-plugin<3.18.1-01
CVE-2023-50767
Jenkins Nexus Platform<=3.18.0-03
maven/org.sonatype.nexus.ci:nexus-jenkins-plugin<3.18.1-01
CVE-2023-50766
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as...
Jenkins Nexus Platform<=3.18.0-03
maven/org.sonatype.nexus.ci:nexus-jenkins-plugin<3.18.1-01
CVE-2023-50765
A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.
Jenkins Scriptler<=342.v6a_89fd40f466
maven/org.jenkins-ci.plugins:scriptler<=342.v6a
CVE-2023-50764
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary fi...
maven/org.jenkins-ci.plugins:scriptler<=342.v6a
Jenkins Scriptler<=342.v6a_89fd40f466
CVE-2023-49674
A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using ...
Jenkins Neuvector Vulnerability Scanner<=1.22
maven/o.jenkins.plugins:neuvector-vulnerability-scanner<2.2
CVE-2023-49656
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Jenkins Matlab<2.11.1
maven/org.jenkins-ci.plugins:matlab<2.11.1
CVE-2023-49673
A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attack...
maven/o.jenkins.plugins:neuvector-vulnerability-scanner<2.2
Jenkins Neuvector Vulnerability Scanner<2.2
Jenkins Jira<3.1.2
Jenkins Google Compute Engine<4.551.0
Jenkins Matlab<2.11.1
CVE-2023-49655
A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.
Jenkins Matlab<2.11.1
maven/org.jenkins-ci.plugins:matlab<2.11.1
CVE-2023-49653
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entit...
Jenkins Jira<=3.11
maven/org.jenkins-ci.plugins:jira<3.12
CVE-2023-49654
Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.
Jenkins Matlab<2.11.1
maven/org.jenkins-ci.plugins:matlab<2.11.1
CVE-2023-49652
Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on...
Jenkins Google Compute Engine<4.3.17.1
maven/org.jenkins-ci.plugins:google-compute-engine>=4.5<4.551.v5a
maven/org.jenkins-ci.plugins:google-compute-engine<4.3.17.1
CVE-2023-46660
Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use...
Jenkins Zanata<=0.6
maven/org.jenkins-ci.plugins:zanata<=0.6
CVE-2023-46659
Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/...
Jenkins Edgewall Trac<=1.13
maven/org.jenkins-ci.plugins:trac<=1.13
CVE-2023-46657
Jenkins Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use s...
Jenkins Gogs<=1.0.15
maven/org.jenkins-ci.plugins:gogs-webhook<=1.0.15
CVE-2023-46655
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build s...
Jenkins Cloudbees Cd<=1.1.32
maven/org.jenkins-ci.plugins:electricflow<1.1.33
CVE-2023-46656
Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allo...
Jenkins Multibranch Scan Webhook Trigger<=1.0.9
maven/igalg.jenkins.plugins:multibranch-scan-webhook-trigger<=1.0.9
CVE-2023-46654
In Jenkins CloudBees CD Plugin, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step. CloudBees ...
Jenkins Cloudbees Cd<=1.1.32
maven/org.jenkins-ci.plugins:electricflow<1.1.33
CVE-2023-46652
A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jen...
Jenkins Lambdatest-automation<=1.20.9
maven/org.jenkins-ci.plugins:lambdatest-automation<1.20.10
CVE-2023-46653
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.
Jenkins Lambdatest-automation<1.21.0
maven/org.jenkins-ci.plugins:lambdatest-automation<1.21.0
CVE-2023-46651
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not...
Jenkins Warnings<=10.5.0
maven/io.jenkins.plugins:warnings-ng<10.4.1
maven/io.jenkins.plugins:warnings-ng=10.5.0
CVE-2023-46650
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by at...
Jenkins Github<=1.37.3
maven/com.coravy.hudson.plugins.github:github<1.37.3.1
CVE-2023-36478
HTTP/2 HPACK integer overflow and buffer allocation
debian/jetty9<=9.4.16-0+deb10u1<=9.4.39-3+deb11u2
redhat/http2-hpack<10.0.16
redhat/http2-hpack<11.0.16
redhat/http2-hpack<9.4.53
redhat/http3-qpack<10.0.16
redhat/http3-qpack<11.0.161
and 15 more
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 556 more
CVE-2023-43498
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API `MultipartFormDataParser` create temporary files in the system tempora...
Jenkins Jenkins<2.414.2
Jenkins Jenkins<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.415<2.424
maven/org.jenkins-ci.main:jenkins-core>=2.50<2.414.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203