Filtered by vendor Jenkins
Subscribe
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1003082 | 1 Jenkins | 1 Gearman | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003042 | 1 Jenkins | 1 Lockable Resources | 2020-06-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. | |||||
| CVE-2019-1003046 | 1 Jenkins | 1 Fortify On Demand Uploader | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003044 | 1 Jenkins | 1 Slack Notification | 2020-06-23 | 2.1 LOW | 7.1 HIGH |
| A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-1003084 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2020-2200 | 1 Jenkins | 1 Play Framework | 2020-06-04 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master. | |||||
| CVE-2020-2199 | 1 Jenkins | 1 Subversion Partial Release Manager | 2020-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability. | |||||
| CVE-2020-2198 | 1 Jenkins | 1 Project Inheritance | 2020-06-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure. | |||||
| CVE-2020-2191 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2020-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels. | |||||
| CVE-2020-2197 | 1 Jenkins | 1 Project Inheritance | 2020-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format. | |||||
| CVE-2020-2192 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2020-06-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels. | |||||
| CVE-2020-2194 | 1 Jenkins | 1 Echarts Api | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2195 | 1 Jenkins | 1 Compact Columns | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission. | |||||
| CVE-2020-2193 | 1 Jenkins | 1 Echarts Api | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2190 | 1 Jenkins | 1 Script Security | 2020-06-03 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-2181 | 1 Jenkins | 1 Credentials Binding | 2020-05-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | |||||
| CVE-2020-2182 | 1 Jenkins | 1 Credentials Binding | 2020-05-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. | |||||
| CVE-2020-2188 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2020-2183 | 1 Jenkins | 1 Copy Artifact | 2020-05-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access. | |||||
| CVE-2020-2187 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-11 | 6.8 MEDIUM | 5.6 MEDIUM |
| Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks. | |||||