| CVE-2022-28160 |
Medium |
Yes |
Arbitrary filesystem access |
Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller. |
| CVE-2022-28159 |
Medium |
Yes |
Cross-site scripting |
Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored... |
| CVE-2022-28158 |
Medium |
Yes |
Information disclosure |
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate... |
| CVE-2022-28157 |
Medium |
Yes |
Arbitrary file upload |
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins... |
| CVE-2022-28156 |
Medium |
Yes |
Information disclosure |
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the... |
| CVE-2022-28155 |
High |
Yes |
Xml external entity injection |
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2022-28154 |
High |
Yes |
Xml external entity injection |
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2022-28153 |
Medium |
Yes |
Cross-site scripting |
Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS)... |
| CVE-2022-28152 |
Medium |
Yes |
Cross-site scripting |
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default... |
| CVE-2022-28151 |
Medium |
Yes |
Access restriction bypass |
A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and... |
| CVE-2022-28150 |
High |
Yes |
Cross-site request forgery |
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and... |
| CVE-2022-28149 |
Medium |
Yes |
Cross-site scripting |
Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross- site scripting... |
| CVE-2022-28148 |
Medium |
Yes |
Arbitrary filesystem access |
The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting... |
| CVE-2022-28147 |
Medium |
Yes |
Information disclosure |
A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check... |
| CVE-2022-28146 |
Medium |
Yes |
Arbitrary filesystem access |
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins... |
| CVE-2022-28145 |
Medium |
Yes |
Cross-site scripting |
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in... |
| CVE-2022-28144 |
Medium |
Yes |
Unknown |
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to... |
| CVE-2022-28143 |
Medium |
Yes |
Cross-site request forgery |
A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker- specified host... |
| CVE-2022-28142 |
High |
Yes |
Unknown |
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues. |
| CVE-2022-28141 |
Medium |
Yes |
Information disclosure |
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it... |
| CVE-2022-28140 |
High |
Yes |
Xml external entity injection |
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2022-28139 |
Medium |
Yes |
Unknown |
A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an... |
| CVE-2022-28138 |
Medium |
Yes |
Cross-site request forgery |
A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an... |
| CVE-2022-28137 |
Medium |
Yes |
Unknown |
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect... |
| CVE-2022-28136 |
High |
Yes |
Cross-site request forgery |
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an... |
| CVE-2022-28135 |
Medium |
Yes |
Information disclosure |
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins... |
| CVE-2022-28134 |
Medium |
Yes |
Unknown |
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with... |
| CVE-2022-28133 |
Medium |
Yes |
Cross-site scripting |
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored... |