| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code. |
| Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. |
| Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller |
| Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts. |
| Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure. |
| Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability. |
| Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master. |
| Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin. |
| Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
