CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-35141
https://notcve.org/view.php?id=CVE-2023-35141
14 Jun 2023 — In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu. • http://www.openwall.com/lists/oss-security/2023/06/14/5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27904 – Jenkins: Information disclosure through error stack traces related to agents
https://notcve.org/view.php?id=CVE-2023-27904
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers. Multicl... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27903 – Jenkins: Temporary file parameter created with insecure permissions
https://notcve.org/view.php?id=CVE-2023-27903
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used. A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CL... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058 • CWE-266: Incorrect Privilege Assignment CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27902 – Jenkins: Workspace temporary directories accessible through directory browser
https://notcve.org/view.php?id=CVE-2023-27902
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents. A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically all... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807 • CWE-266: Incorrect Privilege Assignment •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27901 – Jenkins: Denial of Service attack
https://notcve.org/view.php?id=CVE-2023-27901
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.Re... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27900 – Jenkins: Denial of Service attack
https://notcve.org/view.php?id=CVE-2023-27900
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.Multip... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27899 – Jenkins: Temporary plugin file created with insecure permissions
https://notcve.org/view.php?id=CVE-2023-27899
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If the... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823 • CWE-378: Creation of Temporary File With Insecure Permissions CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 0CVE-2023-27898 – Jenkins: XSS vulnerability in plugin manager
https://notcve.org/view.php?id=CVE-2023-27898
08 Mar 2023 — Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances. A flaw was found in Jenkins. Affected versions of Jenkins do not escape th... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-2048 – http2-server: Invalid HTTP/2 requests cause DoS
https://notcve.org/view.php?id=CVE-2022-2048
07 Jul 2022 — In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. En la implementación del servidor Eclipse Jetty HTTP/2, cuando es encontrada una petición HTTP/2 no válida, el manejo de errores presenta un error que puede terminar por no limpiar apropi... • http://www.openwall.com/lists/oss-security/2022/09/09/2 • CWE-410: Insufficient Resource Pool CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-34174 – jenkins: Observable timing discrepancy allows determining username validity
https://notcve.org/view.php?id=CVE-2022-34174
22 Jun 2022 — In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. En Jenkins versiones 2.355 y anteriores, LTS versiones 2.332.3 y anteriores, una discrepancia de tiempo observable en el formulario de inicio de sesión permite distinguir entre los intentos de inicio de sesión con un nomb... • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •