Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Jenkins Subscribe
Filtered by product Jenkins
Total 233 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1999045 1 Jenkins 1 Jenkins 2019-05-08 5.5 MEDIUM 5.4 MEDIUM
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.
CVE-2018-1999042 1 Jenkins 1 Jenkins 2019-05-08 5.0 MEDIUM 5.3 MEDIUM
A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.
CVE-2018-1999006 1 Jenkins 1 Jenkins 2019-05-08 4.0 MEDIUM 4.3 MEDIUM
A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.
CVE-2012-0325 2 Cloudbees, Jenkins 2 Jenkins, Jenkins 2018-10-30 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324.
CVE-2012-6072 2 Cloudbees, Jenkins 2 Jenkins, Jenkins 2018-10-30 4.3 MEDIUM N/A
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2012-6073 2 Cloudbees, Jenkins 2 Jenkins, Jenkins 2018-10-30 5.8 MEDIUM N/A
Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2013-0158 2 Cloudbees, Jenkins 2 Jenkins, Jenkins 2018-10-30 2.6 LOW N/A
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.
CVE-2012-0324 2 Cloudbees, Jenkins 2 Jenkins, Jenkins 2018-10-30 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325.
CVE-2017-1000354 1 Jenkins 1 Jenkins 2018-02-15 6.5 MEDIUM 8.8 HIGH
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
CVE-2017-1000356 1 Jenkins 1 Jenkins 2018-02-15 6.8 MEDIUM 8.8 HIGH
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.
CVE-2017-1000355 1 Jenkins 1 Jenkins 2018-02-15 4.0 MEDIUM 6.5 MEDIUM
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
CVE-2017-1000503 1 Jenkins 1 Jenkins 2018-02-12 6.8 MEDIUM 8.1 HIGH
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.
CVE-2016-3723 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 4.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
CVE-2016-0789 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2016-0790 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.
CVE-2016-0791 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 7.5 HIGH 9.8 CRITICAL
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.
CVE-2016-0792 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 9.0 HIGH 8.8 HIGH
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
CVE-2016-0788 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 10.0 HIGH 9.8 CRITICAL
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
CVE-2016-3727 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 4.0 MEDIUM 4.3 MEDIUM
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
CVE-2016-3724 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-04 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.