Filtered by vendor Jenkins
Subscribe
Search
Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10328 | 1 Jenkins | 1 Pipeline Remote Loader | 2019-06-03 | 6.5 MEDIUM | 9.9 CRITICAL |
| Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. | |||||
| CVE-2019-10325 | 1 Jenkins | 1 Warnings Next Generation | 2019-06-03 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages. | |||||
| CVE-2017-1000244 | 1 Jenkins | 1 Favorite | 2019-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification | |||||
| CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2019-05-22 | 7.5 HIGH | 9.8 CRITICAL |
| The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | |||||
| CVE-2017-1000398 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks. | |||||
| CVE-2017-1000394 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins. | |||||
| CVE-2017-1000395 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator. | |||||
| CVE-2017-1000396 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. | |||||
| CVE-2017-1000399 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to. | |||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | |||||
| CVE-2017-1000401 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 1.2 LOW | 2.2 LOW |
| The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged. | |||||
| CVE-2017-1000393 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 9.0 HIGH | 8.8 HIGH |
| Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators. | |||||
| CVE-2017-1000392 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. | |||||
| CVE-2017-1000391 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.9 MEDIUM | 7.3 HIGH |
| Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files. | |||||
| CVE-2018-1000407 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. | |||||
| CVE-2018-1000406 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. | |||||
| CVE-2018-1000862 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. | |||||
| CVE-2018-1999046 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. | |||||
| CVE-2018-1999045 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. | |||||
| CVE-2018-1000997 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation. | |||||
| CVE-2018-1000170 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-1000409 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.8 MEDIUM | 5.4 MEDIUM |
| A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account. | |||||
| CVE-2018-1000410 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 2.1 LOW | 7.8 HIGH |
| An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. | |||||
| CVE-2018-1999042 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. | |||||
| CVE-2018-1999006 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. | |||||
| CVE-2019-10310 | 1 Jenkins | 1 Ansible Tower | 2019-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins | |||||
| CVE-2019-10300 | 1 Jenkins | 1 Gitlab | 2019-05-06 | 3.5 LOW | 8.0 HIGH |
| A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10309 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2019-05-06 | 4.8 MEDIUM | 9.3 CRITICAL |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients. | |||||
| CVE-2019-10315 | 1 Jenkins | 1 Github Authentication | 2019-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF. | |||||
| CVE-2019-10317 | 1 Jenkins | 1 Sitemonitor | 2019-05-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. | |||||
| CVE-2019-10314 | 1 Jenkins | 1 Koji | 2019-05-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | |||||
| CVE-2019-10307 | 1 Jenkins | 1 Static Analysis Utilities | 2019-05-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. | |||||
| CVE-2019-1003010 | 2 Jenkins, Redhat | 2 Git, Openshift Container Platform | 2019-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. | |||||
| CVE-2018-1000191 | 1 Jenkins | 1 Synopsys Detect | 2019-04-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Black Duck Detect Plugin 1.4.0 and older in DetectPostBuildStepDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1999027 | 1 Jenkins | 1 Saltstack | 2019-04-16 | 6.8 MEDIUM | 7.5 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-8718 | 1 Jenkins | 1 Mailer | 2019-03-04 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. | |||||
| CVE-2018-1000411 | 1 Jenkins | 1 Junit | 2019-01-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. | |||||
| CVE-2018-1000417 | 1 Jenkins | 1 Email Extension Template | 2019-01-22 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates. | |||||
| CVE-2018-1000414 | 1 Jenkins | 1 Config File Provider | 2019-01-22 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions. | |||||
| CVE-2014-3681 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-12-18 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-2033 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-12-06 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-0324 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325. | |||||
| CVE-2012-0325 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324. | |||||
| CVE-2012-6073 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2012-6074 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-0158 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 2.6 LOW | N/A |
| Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors. | |||||
| CVE-2012-6072 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2018-1999039 | 1 Jenkins | 1 Confluence Publisher | 2018-10-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials. | |||||
| CVE-2018-1999038 | 1 Jenkins | 1 Publish Over Cifs | 2018-10-15 | 4.9 MEDIUM | 4.2 MEDIUM |
| A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. | |||||
| CVE-2018-1999037 | 1 Jenkins | 1 Resource Disposer | 2018-10-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource. | |||||