Filtered by vendor Jenkins
Subscribe
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-2610 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). | |||||
| CVE-2017-2603 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 3.5 LOW |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). | |||||
| CVE-2017-2602 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). | |||||
| CVE-2017-2600 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). | |||||
| CVE-2017-2613 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 5.8 MEDIUM | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). | |||||
| CVE-2017-2612 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. | |||||
| CVE-2017-2604 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). | |||||
| CVE-2017-2609 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. | |||||
| CVE-2017-2608 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | |||||
| CVE-2017-2607 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. | |||||
| CVE-2017-2606 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. | |||||
| CVE-2017-2598 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | |||||
| CVE-2018-1000403 | 1 Jenkins | 1 Aws Codedeploy | 2019-10-02 | 2.1 LOW | 7.8 HIGH |
| Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 1.20 and later. | |||||
| CVE-2018-1999047 | 1 Jenkins | 1 Jenkins | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. | |||||
| CVE-2018-1999028 | 1 Jenkins | 1 Accurev | 2019-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1999030 | 1 Jenkins | 1 Maven Artifact Choicelistprovider \(nexus\) | 2019-10-02 | 4.0 MEDIUM | 5.4 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1000866 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | |||||
| CVE-2018-1000865 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | |||||
| CVE-2018-1000864 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | |||||
| CVE-2018-1000863 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-10-02 | 6.4 MEDIUM | 8.2 HIGH |
| A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. | |||||