Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Jenkins Subscribe
Total 1395 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-1000109 1 Jenkins 1 Owasp Dependency-check 2017-10-19 4.3 MEDIUM 6.1 MEDIUM
The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.
CVE-2017-1000091 1 Jenkins 1 Github Branch Source 2017-10-17 6.8 MEDIUM 6.3 MEDIUM
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.
CVE-2017-1000092 1 Jenkins 1 Git 2017-10-17 2.6 LOW 7.5 HIGH
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.
CVE-2017-1000114 1 Jenkins 1 Datadog 2017-10-17 4.3 MEDIUM 3.1 LOW
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form.
CVE-2017-1000093 1 Jenkins 1 Poll Scm 2017-10-17 6.8 MEDIUM 8.8 HIGH
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.
CVE-2017-1000094 1 Jenkins 1 Docker Commons 2017-10-17 4.0 MEDIUM 6.5 MEDIUM
Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.
CVE-2014-9635 2 Apache, Jenkins 2 Tomcat, Jenkins 2017-09-21 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
CVE-2014-9634 2 Apache, Jenkins 2 Tomcat, Jenkins 2017-09-21 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
CVE-2014-2067 1 Jenkins 1 Jenkins 2017-08-28 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."
CVE-2014-2059 1 Jenkins 1 Jenkins 2017-08-28 6.5 MEDIUM N/A
Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.
CVE-2013-5573 1 Jenkins 1 Jenkins 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
CVE-2017-1000362 1 Jenkins 1 Jenkins 2017-07-26 5.0 MEDIUM 9.8 CRITICAL
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.
CVE-2016-3102 1 Jenkins 1 Script Security 2017-02-28 7.5 HIGH 7.3 HIGH
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
CVE-2015-1814 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 7.5 HIGH N/A
The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.
CVE-2015-1812 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.
CVE-2015-1808 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 3.5 LOW N/A
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.
CVE-2015-1807 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 3.5 LOW N/A
Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.
CVE-2015-1806 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 6.5 MEDIUM N/A
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.
CVE-2015-1810 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 4.6 MEDIUM N/A
The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.
CVE-2015-1813 2 Jenkins, Redhat 2 Jenkins, Openshift 2016-06-15 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.