Filtered by vendor Jenkins
Subscribe
Search
Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10419 | 1 Jenkins | 1 Vfabric Application Director | 2019-10-09 | 2.1 LOW | 7.8 HIGH |
| Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10407 | 1 Jenkins | 1 Project Inheritance | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin. | |||||
| CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | |||||
| CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | |||||
| CVE-2019-10403 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | |||||
| CVE-2019-10402 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | |||||
| CVE-2019-10401 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | |||||
| CVE-2019-10432 | 1 Jenkins | 1 Html Publisher | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those. | |||||
| CVE-2019-10425 | 1 Jenkins | 1 Google Calendar | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10372 | 1 Jenkins | 1 Gitlab Oauth | 2019-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login. | |||||
| CVE-2019-10371 | 1 Jenkins | 1 Gitlab Oauth | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |||||
| CVE-2019-10368 | 1 Jenkins | 1 Jclouds | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10367 | 1 Jenkins | 1 Configuration As Code | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | |||||
| CVE-2019-10360 | 1 Jenkins | 1 M2 Release | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |||||
| CVE-2019-10359 | 1 Jenkins | 1 M2release | 2019-10-09 | 6.8 MEDIUM | 6.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options. | |||||
| CVE-2019-10349 | 1 Jenkins | 1 Dependency Graph Viewer | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |||||
| CVE-2019-10346 | 1 Jenkins | 1 Embeddable Build Status | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin. | |||||
| CVE-2019-10343 | 1 Jenkins | 1 Configuration As Code | 2019-10-09 | 2.1 LOW | 3.3 LOW |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. | |||||
| CVE-2019-10304 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2017-2649 | 1 Jenkins | 1 Active Directory | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. | |||||
| CVE-2017-2648 | 1 Jenkins | 1 Ssh Slaves | 2019-10-09 | 6.8 MEDIUM | 5.6 MEDIUM |
| It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks. | |||||
| CVE-2017-2651 | 1 Jenkins | 1 Mailer | 2019-10-09 | 4.3 MEDIUM | 3.7 LOW |
| jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses. | |||||
| CVE-2017-2652 | 1 Jenkins | 1 Distributed Fork | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
| It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes. | |||||
| CVE-2017-2650 | 1 Jenkins | 1 Pipeline Classpath Step | 2019-10-09 | 6.0 MEDIUM | 8.5 HIGH |
| It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins. | |||||
| CVE-2017-2654 | 1 Jenkins | 1 Email Extension | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses. | |||||
| CVE-2017-2598 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | |||||
| CVE-2017-2608 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | |||||
| CVE-2017-2600 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). | |||||
| CVE-2017-2606 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. | |||||
| CVE-2017-2613 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 5.8 MEDIUM | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). | |||||
| CVE-2017-2602 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). | |||||
| CVE-2017-2603 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 3.5 LOW |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). | |||||
| CVE-2017-2604 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). | |||||
| CVE-2017-2607 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. | |||||
| CVE-2017-2612 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. | |||||
| CVE-2017-2610 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). | |||||
| CVE-2017-2609 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. | |||||
| CVE-2018-1000107 | 1 Jenkins | 1 Job And Node Ownership | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without Ownership related permissions to override ownership metadata. | |||||
| CVE-2018-1999047 | 1 Jenkins | 1 Jenkins | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. | |||||
| CVE-2018-1999044 | 1 Jenkins | 1 Jenkins | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | |||||
| CVE-2018-1999043 | 1 Jenkins | 1 Jenkins | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials. | |||||
| CVE-2018-1999040 | 1 Jenkins | 1 Kubernetes | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1999036 | 1 Jenkins | 1 Ssh Agent | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. | |||||
| CVE-2018-1999030 | 1 Jenkins | 1 Maven Artifact Choicelistprovider \(nexus\) | 2019-10-03 | 4.0 MEDIUM | 5.4 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1999028 | 1 Jenkins | 1 Accurev | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1000866 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | |||||
| CVE-2018-1000863 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-10-03 | 6.4 MEDIUM | 8.2 HIGH |
| A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. | |||||
| CVE-2018-1000864 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | |||||
| CVE-2018-1000865 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | |||||
| CVE-2018-1000610 | 1 Jenkins | 1 Configuration As Code | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to obtain the passwords configured using Configuration as Code Plugin. | |||||