Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-2600 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). | |||||
| CVE-2017-2598 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | |||||
| CVE-2018-1000864 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | |||||
| CVE-2018-1000109 | 1 Jenkins | 1 Google-play-android-publisher | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. | |||||
| CVE-2018-1000603 | 1 Jenkins | 1 Openstack Cloud | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in BootSource.java, InstancesToRun.java, JCloudsCleanupThread.java, JCloudsCloud.java, JCloudsComputer.java, JCloudsPreCreationThread.java, JCloudsRetentionStrategy.java, JCloudsSlave.java, JCloudsSlaveTemplate.java, LauncherFactory.java, OpenstackCredentials.java, OpenStackMachineStep.java, SlaveOptions.java, SlaveOptionsDescriptor.java that allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs. | |||||
| CVE-2018-1999030 | 1 Jenkins | 1 Maven Artifact Choicelistprovider \(nexus\) | 2019-10-03 | 4.0 MEDIUM | 5.4 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1000189 | 1 Jenkins | 1 Absint Astree | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master. | |||||
| CVE-2018-1000600 | 1 Jenkins | 1 Github | 2019-10-03 | 4.3 MEDIUM | 8.8 HIGH |
| A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000866 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | |||||
| CVE-2018-1000404 | 1 Jenkins | 1 Aws Codebuild | 2019-10-03 | 2.1 LOW | 7.8 HIGH |
| Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.27 and later. | |||||
| CVE-2017-1000095 | 1 Jenkins | 1 Script Security | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object). | |||||
| CVE-2018-1000608 | 1 Jenkins | 1 Z\/os Connector | 2019-10-03 | 4.0 MEDIUM | 7.2 HIGH |
| A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. | |||||
| CVE-2017-1000110 | 1 Jenkins | 1 Blue Ocean | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean. | |||||
| CVE-2018-1999040 | 1 Jenkins | 1 Kubernetes | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2018-1000110 | 1 Jenkins | 1 Git | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users. | |||||
| CVE-2018-1999028 | 1 Jenkins | 1 Accurev | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2017-1000096 | 1 Jenkins | 1 Pipeline\ | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. | |||||
| CVE-2018-1000408 | 1 Jenkins | 1 Jenkins | 2019-10-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory. | |||||
| CVE-2018-1000105 | 1 Jenkins | 1 Gerrit Trigger | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to retrieve some configuration information about Gerrit in Jenkins. | |||||
| CVE-2018-1000197 | 1 Jenkins | 1 Black Duck Hub | 2019-10-03 | 5.5 MEDIUM | 8.1 HIGH |
| An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration. | |||||