CVE-2022-41224
- EPSS 0.89%
- Veröffentlicht 21.09.2022 16:15:09
- Zuletzt bearbeitet 28.05.2025 16:15:28
Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to contr...
CVE-2022-2048
- EPSS 2.27%
- Veröffentlicht 07.07.2022 21:15:10
- Zuletzt bearbeitet 21.11.2024 07:00:13
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service s...
CVE-2022-34170
- EPSS 1.36%
- Veröffentlicht 23.06.2022 17:15:15
- Zuletzt bearbeitet 21.11.2024 07:08:59
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site ...
CVE-2022-34171
- EPSS 1.36%
- Veröffentlicht 23.06.2022 17:15:15
- Zuletzt bearbeitet 21.11.2024 07:08:59
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of '...
CVE-2022-34172
- EPSS 1.36%
- Veröffentlicht 23.06.2022 17:15:15
- Zuletzt bearbeitet 21.11.2024 07:08:59
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
CVE-2022-34173
- EPSS 1.36%
- Veröffentlicht 23.06.2022 17:15:15
- Zuletzt bearbeitet 21.11.2024 07:09:00
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure per...
CVE-2022-34174
- EPSS 1.23%
- Veröffentlicht 23.06.2022 17:15:15
- Zuletzt bearbeitet 21.11.2024 07:09:00
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using t...
CVE-2022-34175
- EPSS 1.3%
- Veröffentlicht 23.06.2022 17:15:15
- Zuletzt bearbeitet 21.11.2024 07:09:00
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
CVE-2022-0538
- EPSS 3.9%
- Veröffentlicht 09.02.2022 14:15:07
- Zuletzt bearbeitet 21.11.2024 06:38:52
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.
CVE-2021-43859
- EPSS 7.93%
- Veröffentlicht 01.02.2022 12:15:08
- Zuletzt bearbeitet 03.11.2025 22:15:52
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resul...