Filtered by vendor Jenkins
Subscribe
Search
Total
807 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2212 | 1 Jenkins | 1 Github Coverage Reporter | 2020-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. | |||||
| CVE-2020-2213 | 1 Jenkins | 1 White Source | 2020-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system. | |||||
| CVE-2020-2214 | 1 Jenkins | 1 Zap Pipeline | 2020-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2020-2215 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2020-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password. | |||||
| CVE-2020-2205 | 1 Jenkins | 1 Vncrecorder | 2020-07-06 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool path in the `checkVncServ` form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators. | |||||
| CVE-2020-2207 | 1 Jenkins | 1 Vncviewer | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2020-2219 | 1 Jenkins | 1 Link Column | 2020-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2019-1003084 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003092 | 1 Jenkins | 1 Nomad | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003098 | 1 Jenkins | 1 Openid | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003086 | 1 Jenkins | 1 Chef Sinatra | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003080 | 1 Jenkins | 1 Openshift Deployer | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003090 | 1 Jenkins | 1 Soasta Cloudtest | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003078 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003076 | 1 Jenkins | 1 Audit To Database | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003058 | 1 Jenkins | 1 Ftp Publisher | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003042 | 1 Jenkins | 1 Lockable Resources | 2020-06-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. | |||||
| CVE-2019-1003082 | 1 Jenkins | 1 Gearman | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003046 | 1 Jenkins | 1 Fortify On Demand Uploader | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2020-2199 | 1 Jenkins | 1 Subversion Partial Release Manager | 2020-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability. | |||||
| CVE-2020-2198 | 1 Jenkins | 1 Project Inheritance | 2020-06-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure. | |||||
| CVE-2020-2197 | 1 Jenkins | 1 Project Inheritance | 2020-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format. | |||||
| CVE-2020-2191 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2020-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels. | |||||
| CVE-2020-2192 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2020-06-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels. | |||||
| CVE-2020-2194 | 1 Jenkins | 1 Echarts Api | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2195 | 1 Jenkins | 1 Compact Columns | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission. | |||||
| CVE-2020-2193 | 1 Jenkins | 1 Echarts Api | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2190 | 1 Jenkins | 1 Script Security | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2181 | 1 Jenkins | 1 Credentials Binding | 2020-05-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | |||||
| CVE-2020-2182 | 1 Jenkins | 1 Credentials Binding | 2020-05-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. | |||||
| CVE-2020-2188 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2020-2183 | 1 Jenkins | 1 Copy Artifact | 2020-05-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access. | |||||
| CVE-2020-2187 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-11 | 6.8 MEDIUM | 5.6 MEDIUM |
| Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks. | |||||
| CVE-2020-2184 | 1 Jenkins | 1 Current Versions Systems | 2020-05-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL. | |||||
| CVE-2020-2185 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-11 | 6.8 MEDIUM | 5.6 MEDIUM |
| Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks. | |||||
| CVE-2020-2186 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances. | |||||
| CVE-2020-2177 | 1 Jenkins | 1 Copr | 2020-04-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2176 | 1 Jenkins | 1 Usemango Runner | 2020-04-07 | 3.5 LOW | 5.4 MEDIUM |
| Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service. | |||||
| CVE-2020-2172 | 1 Jenkins | 1 Code Coverage Api | 2020-04-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2173 | 1 Jenkins | 1 Gatling | 2020-04-07 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content. | |||||
| CVE-2020-2174 | 1 Jenkins | 1 Awseb Deployment | 2020-04-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability. | |||||
| CVE-2020-2175 | 1 Jenkins | 1 Fitnesse | 2020-04-07 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin. | |||||
| CVE-2020-2161 | 1 Jenkins | 1 Jenkins | 2020-03-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. | |||||
| CVE-2020-2169 | 1 Jenkins | 1 Queue Cleanup | 2020-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability. | |||||
| CVE-2020-2170 | 1 Jenkins | 1 Rapiddeploy | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability. | |||||
| CVE-2020-2163 | 1 Jenkins | 1 Jenkins | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers. | |||||
| CVE-2020-2162 | 1 Jenkins | 1 Jenkins | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. | |||||
| CVE-2020-2100 | 1 Jenkins | 1 Jenkins | 2020-03-17 | 5.0 MEDIUM | 5.8 MEDIUM |
| Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848. | |||||
| CVE-2020-2104 | 1 Jenkins | 1 Jenkins | 2020-03-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. | |||||
| CVE-2020-2105 | 1 Jenkins | 1 Jenkins | 2020-03-17 | 4.3 MEDIUM | 5.4 MEDIUM |
| REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. | |||||