HIGH

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
Jenkins 2.245, LTS 2.235.2 escapes the agent name.
References

https://nvd.nist.go…

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job’s display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
Jenkins 2.245, LTS 2.235.2 escapes the job display name.
Refere…

A form validation endpoint in Play Framework Plugin executes the play command to validate a given input file.
Play Framework Plugin 1.0.2 and earlier lets users specify the path to the play command on the Jenkins controller. This results in an OS comma…

Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints.
This allows attackers to perform the following actions:

Restart the Selenium Grid hub.
Delete or replace the plugin configuration.
Start, stop, or restart Selenium con…

SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure jobs with the filter, or c…

Parasoft Findings Plugin implements a static analysis parser for various Parasoft products and integrates with Warnings Plugin (10.4.1 and earlier) and Warnings NG Plugin (10.4.2 and newer).
Parasoft Findings Plugin 10.4.3 and earlier does not configur…

AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a p…

Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a multi-configuration (Matrix) job…

Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the “Publish Coverage Report” post-build step to have Jenkins parse a craf…

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the ‘RapidDeploy deployment package build’ build or post-build step to have Jenkin…