Skip to main content

Coverity

7 CVEs product

Monthly

CVE-2026-1496 CRITICAL PATCH Act Now

Coverity Connect command-line tooling authentication bypass via /token API endpoint allows remote attackers to assume valid user credentials and privileges without proper authentication when a username is known or guessed. The vulnerability stems from missing error handling in authentication logic, enabling attackers to craft specialized HTTP requests that circumvent normal access controls and grant full role-based privileges of the compromised account. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass Coverity
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2023-1663 MEDIUM This Month

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass Coverity
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-23849 MEDIUM This Month

Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Coverity
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-36921 Maven HIGH This Week

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Coverity
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2022-36920 Maven HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Coverity
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-36919 Maven MEDIUM This Month

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Coverity
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2018-1000104 Maven HIGH PATCH This Week

A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure Coverity
NVD
CVSS 3.0
7.8
EPSS
0.3%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Coverity Connect command-line tooling authentication bypass via /token API endpoint allows remote attackers to assume valid user credentials and privileges without proper authentication when a username is known or guessed. The vulnerability stems from missing error handling in authentication logic, enabling attackers to craft specialized HTTP requests that circumvent normal access controls and grant full role-based privileges of the compromised account. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass Coverity
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Coverity
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Coverity
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Coverity
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Coverity
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy