Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-2613

Summary
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
Published At-15 May, 2018 | 22:00
Updated At-05 Aug, 2024 | 14:02
Rejected At-
Credits

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:redhat
Assigner Org ID:53f830b8-0a3f-465b-8143-3b8a9948e749
Published At:15 May, 2018 | 22:00
Updated At:05 Aug, 2024 | 14:02
Rejected At:
▼CVE Numbering Authority (CNA)

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

Affected Products
Vendor
[UNKNOWN]
Product
jenkins
Versions
Affected
  • jenkins 2.44
  • jenkins 2.32.2
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770
Type: CWE
CWE ID: CWE-770
Description: CWE-770
Metrics
VersionBase scoreBase severityVector
3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jenkins.io/security/advisory/2017-02-01/
x_refsource_CONFIRM
https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613
x_refsource_CONFIRM
http://www.securityfocus.com/bid/95967
vdb-entry
x_refsource_BID
Hyperlink: https://jenkins.io/security/advisory/2017-02-01/
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601
Resource:
x_refsource_CONFIRM
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.securityfocus.com/bid/95967
Resource:
vdb-entry
x_refsource_BID
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jenkins.io/security/advisory/2017-02-01/
x_refsource_CONFIRM
x_transferred
https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601
x_refsource_CONFIRM
x_transferred
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613
x_refsource_CONFIRM
x_transferred
http://www.securityfocus.com/bid/95967
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://jenkins.io/security/advisory/2017-02-01/
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.securityfocus.com/bid/95967
Resource:
vdb-entry
x_refsource_BID
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert@redhat.com
Published At:15 May, 2018 | 22:29
Updated At:09 Oct, 2019 | 23:26

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Secondary3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary2.05.8MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:P
Type: Primary
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Type: Secondary
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Type: Primary
Version: 2.0
Base score: 5.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:P
CPE Matches
Jenkins
jenkins
>>jenkins>>Versions before 2.32.2(exclusive)
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Jenkins
jenkins
>>jenkins>>Versions before 2.44(exclusive)
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE-770Secondarysecalert@redhat.com
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-770
Type: Secondary
Source: secalert@redhat.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/95967secalert@redhat.com
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613secalert@redhat.com
Issue Tracking
https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601secalert@redhat.com
Patch
https://jenkins.io/security/advisory/2017-02-01/secalert@redhat.com
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/95967
Source: secalert@redhat.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613
Source: secalert@redhat.com
Resource:
Issue Tracking
Hyperlink: https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601
Source: secalert@redhat.com
Resource:
Patch
Hyperlink: https://jenkins.io/security/advisory/2017-02-01/
Source: secalert@redhat.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

359Records found
CVE-2021-21644
Matching Score-10
Assigner-Jenkins Project
ShareView Details
Matching Score-10
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 22.09%
||
7 Day CHG~0.00%
Published-21 Apr, 2021 | 14:20
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

Action-Not Available
Vendor-Jenkins
Product-config_file_providerJenkins Config File Provider Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1000414
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.07% / 22.30%
||
7 Day CHG~0.00%
Published-09 Jan, 2019 | 23:00
Updated-05 Aug, 2024 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.

Action-Not Available
Vendor-n/aJenkins
Product-config_file_providern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1000417
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.07% / 22.05%
||
7 Day CHG~0.00%
Published-09 Jan, 2019 | 23:00
Updated-05 Aug, 2024 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates.

Action-Not Available
Vendor-n/aJenkins
Product-email_extension_templaten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-2321
Matching Score-10
Assigner-Jenkins Project
ShareView Details
Matching Score-10
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-0.15% / 35.86%
||
7 Day CHG~0.00%
Published-03 Dec, 2020 | 15:55
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.

Action-Not Available
Vendor-Jenkins
Product-shelve_projectJenkins Shelve Project Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-2281
Matching Score-10
Assigner-Jenkins Project
ShareView Details
Matching Score-10
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 32.02%
||
7 Day CHG~0.00%
Published-23 Sep, 2020 | 13:10
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.

Action-Not Available
Vendor-Jenkins
Product-lockable_resourcesJenkins Lockable Resources Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2013-0327
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.22% / 44.14%
||
7 Day CHG~0.00%
Published-19 Mar, 2013 | 14:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43502
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.24%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 16:06
Updated-24 Sep, 2024 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes.

Action-Not Available
Vendor-Jenkins
Product-build_failure_analyzerJenkins Build Failure Analyzer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-28158
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.84%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 17:01
Updated-06 Jun, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build.

Action-Not Available
Vendor-Jenkins
Product-subversion_partial_release_managerJenkins Subversion Partial Release Manager Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43500
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.06% / 19.72%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 16:06
Updated-24 Sep, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

Action-Not Available
Vendor-Jenkins
Product-build_failure_analyzerJenkins Build Failure Analyzer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-2192
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 60.61%
||
7 Day CHG~0.00%
Published-03 Jun, 2020 | 12:40
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.

Action-Not Available
Vendor-Jenkins
Product-self-organizing_swarm_modulesJenkins Self-Organizing Swarm Plug-in Modules Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-23902
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.39%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 17:52
Updated-30 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.

Action-Not Available
Vendor-Jenkins
Product-github_branch_sourceJenkins GitLab Branch Source Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-21617
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.07% / 22.94%
||
7 Day CHG~0.00%
Published-24 Feb, 2021 | 15:05
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.

Action-Not Available
Vendor-Jenkins
Product-configuration_slicingJenkins Configuration Slicing Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-21665
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.07% / 22.94%
||
7 Day CHG~0.00%
Published-10 Jun, 2021 | 14:25
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-xebialabs_xl_deployJenkins XebiaLabs XL Deploy Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-21655
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-7.1||HIGH
EPSS-0.09% / 27.16%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 14:15
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.

Action-Not Available
Vendor-Jenkins
Product-p4Jenkins P4 Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-41249
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.10% / 27.63%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:46
Updated-27 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-scm_httpclientJenkins SCM HttpClient Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41938
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.66%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:08
Updated-26 Sep, 2024 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.

Action-Not Available
Vendor-Jenkins
Product-ivyJenkins Ivy Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-4301
Matching Score-6
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-6
Assigner-OpenText (formerly Micro Focus)
CVSS Score-4.2||MEDIUM
EPSS-0.23% / 45.98%
||
7 Day CHG~0.00%
Published-21 Aug, 2023 | 22:34
Updated-01 Oct, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSRF vulnerability in Fortify Plugin allow capturing credentials

A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-fortifyJenkins Fortify Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41946
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-3.5||LOW
EPSS-0.07% / 21.50%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:09
Updated-26 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.

Action-Not Available
Vendor-Jenkins
Product-frugal_testingJenkins Frugal Testing Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41942
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.66%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:09
Updated-26 Sep, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue.

Action-Not Available
Vendor-Jenkins
Product-aws_codecommit_triggerJenkins AWS CodeCommit Trigger Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2013-0328
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.87%
||
7 Day CHG~0.00%
Published-19 Mar, 2013 | 14:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-34789
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 25.23%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:47
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

Action-Not Available
Vendor-Jenkins
Product-matrix_reloadedJenkins Matrix Reloaded Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16569
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.48% / 64.28%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-mantisJenkins Mantis Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16550
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.12% / 32.03%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

Action-Not Available
Vendor-Jenkins
Product-mavenJenkins Maven Release Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-40336
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.12% / 31.11%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 14:32
Updated-08 Oct, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.

Action-Not Available
Vendor-Jenkins
Product-foldersJenkins Folders Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16565
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.10% / 28.86%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-team_concertJenkins Team Concert Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16570
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server.

Action-Not Available
Vendor-Jenkins
Product-rapiddeployJenkins RapidDeploy Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16560
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

Action-Not Available
Vendor-Jenkins
Product-websphere_deployerJenkins WebSphere Deployer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16573
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-alauda_devops_pipelineJenkins Alauda DevOps Pipeline Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16551
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-gerrit_triggerJenkins Gerrit Trigger Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16575
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.13% / 32.91%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-alauda_kubernetes_supportJenkins Alauda Kubernetes Suport Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-40341
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.31% / 53.64%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 14:32
Updated-08 Oct, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

Action-Not Available
Vendor-Jenkins
Product-blue_oceanJenkins Blue Ocean Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-39156
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.39%
||
7 Day CHG~0.00%
Published-26 Jul, 2023 | 13:54
Updated-23 Oct, 2024 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.

Action-Not Available
Vendor-Jenkins
Product-bazaarJenkins Bazaar Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-37954
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.39%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 15:52
Updated-06 Nov, 2024 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier allows attackers to rebuild a previous build.

Action-Not Available
Vendor-Jenkins
Product-rebuilderJenkins Rebuilder Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-37957
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.07% / 21.86%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 15:52
Updated-06 Nov, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token.

Action-Not Available
Vendor-Jenkins
Product-pipeline_restful_apiJenkins Pipeline restFul API Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000090
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.06% / 19.55%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.

Action-Not Available
Vendor-n/aJenkins
Product-role-based_authorization_strategyn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16553
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression.

Action-Not Available
Vendor-Jenkins
Product-build_failure_analyzerJenkins Build Failure Analyzer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-50778
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.08% / 24.89%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 17:30
Updated-13 Feb, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token.

Action-Not Available
Vendor-Jenkins
Product-paaslane_estimateJenkins PaaSLane Estimate Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-40351
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.39%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 14:32
Updated-08 Oct, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar.

Action-Not Available
Vendor-Jenkins
Product-favorite_viewJenkins Favorite View Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000356
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.18% / 91.21%
||
7 Day CHG~0.00%
Published-29 Jan, 2018 | 17:00
Updated-05 Aug, 2024 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-37958
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.23% / 45.58%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 15:52
Updated-07 Nov, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL.

Action-Not Available
Vendor-Jenkins
Product-sumologic_publisherJenkins Sumologic Publisher Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000092
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.72%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

Action-Not Available
Vendor-n/aJenkins
Product-gitn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000093
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.06% / 19.55%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.

Action-Not Available
Vendor-n/aJenkins
Product-poll_scmn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000244
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.44%
||
7 Day CHG~0.00%
Published-01 Nov, 2017 | 13:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification

Action-Not Available
Vendor-n/aJenkins
Product-favoriten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-35141
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8||HIGH
EPSS-0.16% / 37.71%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 12:53
Updated-02 Jan, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-32980
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 40.25%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.

Action-Not Available
Vendor-Jenkins
Product-email_extensionJenkins Email Extension Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-33003
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.08%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers to reset profiler statistics.

Action-Not Available
Vendor-Jenkins
Product-tag_profilerJenkins Tag Profiler Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16548
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-21 Nov, 2019 | 14:11
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents.

Action-Not Available
Vendor-Jenkins
Product-google_compute_engineJenkins Google Compute Engine Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-32978
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.08%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 15:59
Updated-23 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-lightweight_directory_access_protocolJenkins LDAP Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000091
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 20.74%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.

Action-Not Available
Vendor-n/aJenkins
Product-github_branch_sourcen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10310
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.15% / 35.98%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 12:25
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins

Action-Not Available
Vendor-Jenkins
Product-ansible_towerJenkins Ansible Tower Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 7
  • 8
  • Next
Details not found