Filtered by vendor Jenkins
Subscribe
Search
Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000015 | 1 Jenkins | 1 Pipeline Nodes And Processes | 2020-08-24 | 4.9 MEDIUM | 4.8 MEDIUM |
| On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier. | |||||
| CVE-2017-1000105 | 1 Jenkins | 1 Blue Ocean | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient. | |||||
| CVE-2018-1000149 | 1 Jenkins | 1 Ansible | 2020-08-24 | 6.8 MEDIUM | 5.6 MEDIUM |
| A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. | |||||
| CVE-2018-1000412 | 1 Jenkins | 1 Jira | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2020-2237 | 1 Jenkins | 1 Flaky Test Handler | 2020-08-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision. | |||||
| CVE-2020-2236 | 1 Jenkins | 1 Yet Another Build Visualizer | 2020-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission. | |||||
| CVE-2020-2235 | 1 Jenkins | 1 Pipeline Maven Integration | 2020-08-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | |||||
| CVE-2020-2234 | 1 Jenkins | 1 Pipeline Maven Integration | 2020-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | |||||
| CVE-2020-2232 | 1 Jenkins | 1 Email Extension | 2020-08-13 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure. | |||||
| CVE-2020-2233 | 1 Jenkins | 1 Pipeline Maven Integration | 2020-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2020-2227 | 1 Jenkins | 1 Deployer Framework | 2020-07-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2226 | 1 Jenkins | 1 Matrix Authorization Strategy | 2020-07-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2221 | 1 Jenkins | 1 Jenkins | 2020-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2220 | 1 Jenkins | 1 Jenkins | 2020-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2222 | 1 Jenkins | 1 Jenkins | 2020-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2224 | 1 Jenkins | 1 Matrix Project | 2020-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2223 | 1 Jenkins | 1 Jenkins | 2020-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2225 | 1 Jenkins | 1 Matrix Project | 2020-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2203 | 1 Jenkins | 1 Fortify On Demand | 2020-07-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs. | |||||
| CVE-2020-2208 | 1 Jenkins | 1 Slack Upload | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2216 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password. | |||||
| CVE-2020-2204 | 1 Jenkins | 1 Fortify On Demand | 2020-07-15 | 5.5 MEDIUM | 5.4 MEDIUM |
| A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs. | |||||
| CVE-2020-2202 | 1 Jenkins | 1 Fortify On Demand | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2019-1003097 | 1 Jenkins | 1 Crowd Integration | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-1003096 | 1 Jenkins | 1 Testfairy | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-1003099 | 1 Jenkins | 1 Openid | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003085 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003083 | 1 Jenkins | 1 Gearman | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003079 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003093 | 1 Jenkins | 1 Nomad | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003091 | 1 Jenkins | 1 Soasta Cloudtest | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003087 | 1 Jenkins | 1 Chef Sinatra | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003081 | 1 Jenkins | 1 Openshift Deployer | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2020-2110 | 1 Jenkins | 1 Script Security | 2020-07-13 | 6.5 MEDIUM | 8.8 HIGH |
| Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations. | |||||
| CVE-2020-2109 | 1 Jenkins | 1 Pipeline\ | 2020-07-13 | 6.5 MEDIUM | 8.8 HIGH |
| Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. | |||||
| CVE-2019-16538 | 1 Jenkins | 1 Script Security | 2020-07-13 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2020-2201 | 1 Jenkins | 1 Sonargraph Integration | 2020-07-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2206 | 1 Jenkins | 1 Vncrecorder | 2020-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins VncRecorder Plugin 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2020-2209 | 1 Jenkins | 1 Testcomplete Support | 2020-07-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2210 | 1 Jenkins | 1 Stash Branch Parameter | 2020-07-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2020-2212 | 1 Jenkins | 1 Github Coverage Reporter | 2020-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. | |||||
| CVE-2020-2213 | 1 Jenkins | 1 White Source | 2020-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system. | |||||
| CVE-2020-2214 | 1 Jenkins | 1 Zap Pipeline | 2020-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2020-2215 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2020-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password. | |||||
| CVE-2020-2205 | 1 Jenkins | 1 Vncrecorder | 2020-07-06 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool path in the `checkVncServ` form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators. | |||||
| CVE-2020-2207 | 1 Jenkins | 1 Vncviewer | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2020-2211 | 1 Jenkins | 1 Kubernetes Ci | 2020-07-06 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2219 | 1 Jenkins | 1 Link Column | 2020-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2019-1003046 | 1 Jenkins | 1 Fortify On Demand Uploader | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003098 | 1 Jenkins | 1 Openid | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||