Total
233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1999045 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. | |||||
| CVE-2018-1999042 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. | |||||
| CVE-2018-1999006 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. | |||||
| CVE-2012-0325 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324. | |||||
| CVE-2012-6072 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2012-6073 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2013-0158 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 2.6 LOW | N/A |
| Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors. | |||||
| CVE-2012-0324 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325. | |||||
| CVE-2017-1000354 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. | |||||
| CVE-2017-1000356 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | |||||
| CVE-2017-1000355 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | |||||
| CVE-2017-1000503 | 1 Jenkins | 1 Jenkins | 2018-02-12 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. | |||||
| CVE-2016-3723 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. | |||||
| CVE-2016-0789 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2016-0790 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. | |||||
| CVE-2016-0791 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. | |||||
| CVE-2016-0792 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 9.0 HIGH | 8.8 HIGH |
| Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. | |||||
| CVE-2016-0788 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 10.0 HIGH | 9.8 CRITICAL |
| The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener. | |||||
| CVE-2016-3727 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. | |||||
| CVE-2016-3724 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2018-01-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. | |||||