Filtered by vendor Jenkins
Subscribe
Search
Total
807 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1999031 | 1 Jenkins | 1 Meliora Testlab | 2018-10-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. | |||||
| CVE-2018-1999029 | 1 Jenkins | 1 Shelve Project | 2018-10-01 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-1000402 | 1 Jenkins | 1 Aws Codedeploy | 2018-09-10 | 5.0 MEDIUM | 4.3 MEDIUM |
| Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later. | |||||
| CVE-2018-1000609 | 1 Jenkins | 1 Configuration As Code | 2018-08-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. | |||||
| CVE-2018-1000607 | 1 Jenkins | 1 Fortify Cloudscan | 2018-08-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as. | |||||
| CVE-2018-1000606 | 1 Jenkins | 1 Urltrigger | 2018-08-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000604 | 1 Jenkins | 1 Badge | 2018-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-1000602 | 1 Jenkins | 1 Saml | 2018-08-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session. | |||||
| CVE-2018-1000601 | 1 Jenkins | 1 Ssh Credentials | 2018-08-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system. | |||||
| CVE-2018-1000198 | 1 Jenkins | 1 Black Duck Hub | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document. | |||||
| CVE-2018-1000202 | 1 Jenkins | 1 Groovy Postbuild | 2018-07-18 | 3.5 LOW | 5.4 MEDIUM |
| A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-1000196 | 1 Jenkins | 1 Gitlab Hook | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token. | |||||
| CVE-2018-1000190 | 1 Jenkins | 1 Black Duck Hub | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000188 | 1 Jenkins | 1 Cas | 2018-07-18 | 5.5 MEDIUM | 5.4 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000187 | 1 Jenkins | 1 Kubernetes | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs. | |||||
| CVE-2018-1000186 | 1 Jenkins | 1 Github Pull Request Builder | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000185 | 1 Jenkins | 1 Github Branch Source | 2018-07-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000184 | 1 Jenkins | 1 Github | 2018-07-18 | 5.5 MEDIUM | 5.4 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000183 | 1 Jenkins | 1 Github | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000182 | 1 Jenkins | 1 Git | 2018-07-18 | 5.5 MEDIUM | 6.4 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000177 | 1 Jenkins | 1 S3 Publisher | 2018-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions. | |||||
| CVE-2018-1000176 | 1 Jenkins | 1 Email Extension | 2018-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password. | |||||
| CVE-2018-1000175 | 1 Jenkins | 1 Html Publisher | 2018-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override arbitrary files on the Jenkins master. | |||||
| CVE-2018-1000173 | 1 Jenkins | 1 Google Login | 2018-06-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |||||
| CVE-2018-1000174 | 1 Jenkins | 1 Google Login | 2018-06-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. | |||||
| CVE-2018-1000148 | 1 Jenkins | 1 Copy To Slave | 2018-05-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins Copy To Slave Plugin version 1.4.4 and older in CopyToSlaveBuildWrapper.java that allows attackers with permission to configure jobs to read arbitrary files from the Jenkins master file system. | |||||
| CVE-2018-1000143 | 1 Jenkins | 1 Github Pull Request Builder | 2018-05-15 | 2.1 LOW | 6.7 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. | |||||
| CVE-2018-1000151 | 1 Jenkins | 1 Vsphere | 2018-05-15 | 6.8 MEDIUM | 5.6 MEDIUM |
| A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. | |||||
| CVE-2018-1000144 | 1 Jenkins | 1 Cucumber Living Documentation | 2018-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. | |||||
| CVE-2018-1000108 | 1 Jenkins | 1 Cppncss | 2018-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed. | |||||
| CVE-2018-1000113 | 1 Jenkins | 1 Testlink | 2018-04-04 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript | |||||
| CVE-2017-1000355 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | |||||
| CVE-2017-1000389 | 1 Jenkins | 1 Global-build-stats | 2018-02-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability. | |||||
| CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2018-02-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | |||||
| CVE-2017-1000404 | 1 Jenkins | 1 Delivery Pipeline | 2018-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. | |||||
| CVE-2017-1000402 | 1 Jenkins | 1 Swarm | 2018-02-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | |||||
| CVE-2017-1000397 | 1 Jenkins | 1 Maven | 2018-02-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient. | |||||
| CVE-2016-3722 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name." | |||||
| CVE-2016-3727 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. | |||||
| CVE-2016-3725 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 5.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). | |||||
| CVE-2016-3724 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. | |||||
| CVE-2016-3723 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. | |||||
| CVE-2016-3721 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. | |||||
| CVE-2016-0790 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. | |||||
| CVE-2016-0789 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2017-17383 | 1 Jenkins | 1 Jenkins | 2017-12-22 | 3.5 LOW | 4.7 MEDIUM |
| Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. | |||||
| CVE-2017-1000085 | 1 Jenkins | 1 Subversion | 2017-11-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks. | |||||
| CVE-2017-1000087 | 1 Jenkins | 1 Github Branch Source | 2017-11-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. | |||||
| CVE-2017-1000088 | 1 Jenkins | 1 Sidebar Link | 2017-11-02 | 3.5 LOW | 5.4 MEDIUM |
| The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links. | |||||
| CVE-2017-1000103 | 1 Jenkins | 1 Dry | 2017-11-01 | 3.5 LOW | 5.4 MEDIUM |
| The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. | |||||