Filtered by vendor Jenkins
Subscribe
Search
Total
352 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2160 | 1 Jenkins | 1 Jenkins | 2020-03-30 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. | |||||
| CVE-2020-2166 | 1 Jenkins | 1 Pipeline\ | 2020-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2167 | 1 Jenkins | 1 Openshift Pipeline | 2020-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2168 | 1 Jenkins | 1 Azure Container Service | 2020-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2171 | 1 Jenkins | 1 Rapiddeploy | 2020-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2099 | 1 Jenkins | 1 Jenkins | 2020-03-17 | 7.5 HIGH | 8.6 HIGH |
| Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents. | |||||
| CVE-2020-2144 | 1 Jenkins | 1 Rundeck | 2020-03-10 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2134 | 1 Jenkins | 1 Script Security | 2020-03-10 | 6.5 MEDIUM | 8.8 HIGH |
| Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies. | |||||
| CVE-2020-2135 | 1 Jenkins | 1 Script Security | 2020-03-10 | 6.5 MEDIUM | 8.8 HIGH |
| Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable. | |||||
| CVE-2020-2138 | 1 Jenkins | 1 Cobertura | 2020-03-10 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2158 | 1 Jenkins | 1 Literate | 2020-03-09 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2146 | 1 Jenkins | 1 Mac | 2020-03-09 | 5.8 MEDIUM | 7.4 HIGH |
| Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | |||||
| CVE-2020-2159 | 1 Jenkins | 1 Cryptomove | 2020-03-09 | 9.0 HIGH | 8.8 HIGH |
| Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins. | |||||
| CVE-2012-0785 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2020-03-04 | 7.8 HIGH | 7.5 HIGH |
| Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack." | |||||
| CVE-2020-2121 | 1 Jenkins | 1 Google Kubernetes Engine | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2120 | 1 Jenkins | 1 Fitnesse | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2115 | 1 Jenkins | 1 Nunit | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2114 | 1 Jenkins | 1 S3 Publisher | 2020-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2020-2116 | 1 Jenkins | 1 Pipeline Github Notify Step | 2020-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2020-2123 | 1 Jenkins | 1 Radargun | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2108 | 1 Jenkins | 1 Websphere Deployer | 2020-01-30 | 6.5 MEDIUM | 7.6 HIGH |
| Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions. | |||||
| CVE-2015-1809 | 1 Jenkins | 1 Cloudbees | 2020-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query. | |||||
| CVE-2015-1811 | 1 Jenkins | 1 Cloudbees | 2020-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document. | |||||
| CVE-2020-2097 | 1 Jenkins | 1 Sounds | 2020-01-23 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins. | |||||
| CVE-2020-2098 | 1 Jenkins | 1 Sounds | 2020-01-22 | 9.3 HIGH | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins. | |||||
| CVE-2020-2093 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2020-01-22 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient. | |||||
| CVE-2020-2092 | 1 Jenkins | 1 Robot Framework | 2020-01-22 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents. | |||||
| CVE-2020-2090 | 1 Jenkins | 1 Amazon Ec2 | 2020-01-17 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | |||||
| CVE-2019-16558 | 1 Jenkins | 1 Spira Importer | 2020-01-03 | 6.4 MEDIUM | 8.2 HIGH |
| Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM. | |||||
| CVE-2019-16553 | 1 Jenkins | 1 Build Failure Analyzer | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression. | |||||
| CVE-2019-16551 | 1 Jenkins | 1 Gerrit Trigger | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials. | |||||
| CVE-2019-16560 | 1 Jenkins | 1 Websphere Deployer | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. | |||||
| CVE-2019-16550 | 1 Jenkins | 1 Maven | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents. | |||||
| CVE-2019-16549 | 1 Jenkins | 1 Maven | 2020-01-03 | 6.8 MEDIUM | 8.1 HIGH |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | |||||
| CVE-2019-16575 | 1 Jenkins | 1 Alauda Kubernetes Support | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins. | |||||
| CVE-2019-16573 | 1 Jenkins | 1 Alauda Devops Pipeline | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-16565 | 1 Jenkins | 1 Team Concert | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-16570 | 1 Jenkins | 1 Rapiddeploy | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server. | |||||
| CVE-2019-16561 | 1 Jenkins | 1 Websphere Deployer | 2019-12-18 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM. | |||||
| CVE-2015-7539 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2019-12-17 | 7.6 HIGH | 7.5 HIGH |
| The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin. | |||||
| CVE-2015-7537 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2019-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method. | |||||
| CVE-2015-7538 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2019-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors. | |||||
| CVE-2019-16548 | 1 Jenkins | 1 Google Compute Engine | 2019-11-22 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents. | |||||
| CVE-2012-4438 | 1 Jenkins | 1 Jenkins | 2019-11-20 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code. | |||||
| CVE-2019-10440 | 1 Jenkins | 1 Neoload | 2019-10-30 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10443 | 1 Jenkins | 1 Icescrum | 2019-10-30 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2016-4986 | 1 Jenkins | 1 Tap | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter. | |||||
| CVE-2019-10462 | 1 Jenkins | 1 Dynatrace Application Monitoring | 2019-10-25 | 6.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10466 | 1 Jenkins | 1 360 Fireline | 2019-10-25 | 5.5 MEDIUM | 8.1 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10468 | 1 Jenkins | 1 Kubernetes Ci | 2019-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||