Filtered by vendor Jenkins
Subscribe
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1003024 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2020-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | |||||
| CVE-2019-1003025 | 1 Jenkins | 1 Cloud Foundry | 2020-09-28 | 4.0 MEDIUM | 8.8 HIGH |
| A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2020-2279 | 1 Jenkins | 1 Script Security | 2020-09-28 | 6.5 MEDIUM | 9.9 CRITICAL |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM. | |||||
| CVE-2020-2280 | 1 Jenkins | 1 Warnings | 2020-09-28 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code. | |||||
| CVE-2020-2281 | 1 Jenkins | 1 Lockable Resources | 2020-09-28 | 5.8 MEDIUM | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources. | |||||
| CVE-2020-2282 | 1 Jenkins | 1 Implied Labels | 2020-09-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin. | |||||
| CVE-2020-2283 | 1 Jenkins | 1 Liquibase Runner | 2020-09-28 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control changeset files evaluated by the plugin. | |||||
| CVE-2020-2284 | 1 Jenkins | 1 Liquibase Runner | 2020-09-28 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2268 | 1 Jenkins | 1 Mongodb | 2020-09-21 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. | |||||
| CVE-2020-2271 | 1 Jenkins | 1 Locked Files Report | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2275 | 1 Jenkins | 1 Copy Data To Workspace | 2020-09-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied from the Jenkins controller to job workspaces, allowing attackers with Job/Configure permission to read arbitrary files on the Jenkins controller. | |||||
| CVE-2020-2276 | 1 Jenkins | 1 Selection Tasks | 2020-09-18 | 9.0 HIGH | 8.8 HIGH |
| Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as. | |||||
| CVE-2020-2252 | 1 Jenkins | 1 Mailer | 2020-09-18 | 5.8 MEDIUM | 4.8 MEDIUM |
| Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. | |||||
| CVE-2020-2253 | 1 Jenkins | 1 Email Extension | 2020-09-18 | 5.8 MEDIUM | 4.8 MEDIUM |
| Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. | |||||
| CVE-2020-2254 | 1 Jenkins | 1 Blue Ocean | 2020-09-18 | 3.5 LOW | 6.5 MEDIUM |
| Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2020-2255 | 1 Jenkins | 1 Blue Ocean | 2020-09-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2020-2258 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2020-09-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint. | |||||
| CVE-2020-2260 | 1 Jenkins | 1 Perfecto | 2020-09-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials. | |||||
| CVE-2020-2261 | 1 Jenkins | 1 Perfecto | 2020-09-18 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller | |||||
| CVE-2020-2265 | 1 Jenkins | 1 Coverage\/complexity Scatter Plot | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step. | |||||