Filtered by vendor Jenkins
Subscribe
Search
Total
807 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16563 | 1 Jenkins | 1 Mission Control | 2019-12-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties. | |||||
| CVE-2019-16542 | 1 Jenkins | 1 Anchore Container Image Scanner | 2019-12-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-16543 | 1 Jenkins | 1 Spira Importer | 2019-12-03 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2018-1000426 | 1 Jenkins | 1 Git Changelog | 2019-11-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages. | |||||
| CVE-2019-16539 | 1 Jenkins | 1 Support Core | 2019-11-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles. | |||||
| CVE-2019-16540 | 1 Jenkins | 1 Support Core | 2019-11-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| A path traversal vulnerability in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete arbitrary files on the Jenkins master. | |||||
| CVE-2019-16546 | 1 Jenkins | 1 Google Compute Engine | 2019-11-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | |||||
| CVE-2012-4439 | 1 Jenkins | 1 Jenkins | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins. | |||||
| CVE-2012-4440 | 1 Jenkins | 1 Jenkins | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin. | |||||
| CVE-2012-4441 | 1 Jenkins | 1 Jenkins | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin. | |||||
| CVE-2019-10475 | 1 Jenkins | 1 Build-metrics | 2019-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. | |||||
| CVE-2016-3101 | 1 Jenkins | 1 Extra Columns | 2019-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter. | |||||
| CVE-2016-4988 | 1 Jenkins | 1 Build Failure Analyzer | 2019-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. | |||||
| CVE-2016-4987 | 1 Jenkins | 1 Image Gallery | 2019-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields. | |||||
| CVE-2019-10459 | 1 Jenkins | 1 Mattermost Notification | 2019-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10463 | 1 Jenkins | 1 Dynatrace Application Monitoring | 2019-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10469 | 1 Jenkins | 1 Kubernetes Ci | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10470 | 1 Jenkins | 1 Kubernetes Ci | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2019-10472 | 1 Jenkins | 1 Libvirt Slaves | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10473 | 1 Jenkins | 1 Libvirt Slaves | 2019-10-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2019-10474 | 1 Jenkins | 1 Global Post Script | 2019-10-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system. | |||||
| CVE-2019-10465 | 1 Jenkins | 1 Deploy Weblogic | 2019-10-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system. | |||||
| CVE-2019-10467 | 1 Jenkins | 1 Sonar Gerrit | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10451 | 1 Jenkins | 1 Soasta Cloudtest | 2019-10-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10441 | 1 Jenkins | 1 Icescrum | 2019-10-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10447 | 1 Jenkins | 1 Sofy.ai | 2019-10-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10452 | 1 Jenkins | 1 View26 Test-reporting | 2019-10-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10444 | 1 Jenkins | 1 Bumblebee Hp Alm | 2019-10-18 | 6.4 MEDIUM | 6.5 MEDIUM |
| Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier unconditionally disabled SSL/TLS and hostname verification for connections to HP ALM. | |||||
| CVE-2019-10454 | 1 Jenkins | 1 Rundeck | 2019-10-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10456 | 1 Jenkins | 1 Oracle Cloud Infrastructure Compute Classic | 2019-10-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10408 | 1 Jenkins | 1 Project Inheritance | 2019-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates. | |||||
| CVE-2019-10427 | 1 Jenkins | 1 Aqua Microscanner | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-10422 | 1 Jenkins | 1 Call Remote Job | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10421 | 1 Jenkins | 1 Azure Event Grid Notifier | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10414 | 1 Jenkins | 1 Git Changelog | 2019-10-09 | 3.5 LOW | 6.5 MEDIUM |
| Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10413 | 1 Jenkins | 1 Data Theorem Mobile App Security | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10410 | 1 Jenkins | 1 Log Parser | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules. | |||||
| CVE-2019-10407 | 1 Jenkins | 1 Project Inheritance | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin. | |||||
| CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | |||||
| CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | |||||
| CVE-2019-10403 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | |||||
| CVE-2019-10402 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | |||||
| CVE-2019-10401 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | |||||
| CVE-2019-10398 | 1 Jenkins | 1 Beaker Builder | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10396 | 1 Jenkins | 1 Dashboard View | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions. | |||||
| CVE-2019-10395 | 1 Jenkins | 1 Build Environment | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties. | |||||
| CVE-2019-10388 | 1 Jenkins | 1 Relution Enterprise Appstore Publisher | 2019-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | |||||
| CVE-2019-10382 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2019-10-09 | 5.8 MEDIUM | 6.5 MEDIUM |
| Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | |||||
| CVE-2019-10416 | 1 Jenkins | 1 Violation Comments To Gitlab | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10376 | 1 Jenkins | 1 Wall Display | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. | |||||