Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1603 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1000106 1 Jenkins 1 Gerrit Trigger 2019-10-03 5.5 MEDIUM 5.4 MEDIUM
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to modify the Gerrit configuration in Jenkins.
CVE-2017-1000403 1 Jenkins 1 Speaks\! 2019-10-03 6.5 MEDIUM 8.8 HIGH
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.
CVE-2017-1000084 1 Jenkins 1 Parameterized Trigger 2019-10-03 4.0 MEDIUM 6.5 MEDIUM
Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.
CVE-2018-1000112 1 Jenkins 1 Mercurial 2019-10-03 5.0 MEDIUM 5.3 MEDIUM
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users.
CVE-2018-1999047 1 Jenkins 1 Jenkins 2019-10-03 4.0 MEDIUM 6.5 MEDIUM
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.
CVE-2018-1000057 1 Jenkins 1 Credentials Binding 2019-10-03 4.0 MEDIUM 4.3 MEDIUM
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.
CVE-2017-1000106 1 Jenkins 1 Blue Ocean 2019-10-03 5.5 MEDIUM 8.5 HIGH
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name.
CVE-2018-1999043 1 Jenkins 1 Jenkins 2019-10-03 5.0 MEDIUM 7.5 HIGH
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.
CVE-2017-1000104 1 Jenkins 1 Config File Provider 2019-10-03 4.0 MEDIUM 6.5 MEDIUM
The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files.
CVE-2018-1000610 1 Jenkins 1 Configuration As Code 2019-10-03 4.0 MEDIUM 8.8 HIGH
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to obtain the passwords configured using Configuration as Code Plugin.
CVE-2018-1000403 1 Jenkins 1 Aws Codedeploy 2019-10-03 2.1 LOW 7.8 HIGH
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 1.20 and later.
CVE-2018-1000104 1 Jenkins 1 Coverity 2019-10-03 2.1 LOW 7.8 HIGH
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords.
CVE-2017-1000245 1 Jenkins 1 Ssh 2019-10-03 5.0 MEDIUM 9.8 CRITICAL
The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.
CVE-2018-1000145 1 Jenkins 1 Perforce 2019-10-03 5.0 MEDIUM 6.5 MEDIUM
An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to obtain encrypted Perforce passwords and decrypt them.
CVE-2018-1000146 1 Jenkins 1 Liquibase Runner 2019-10-03 6.5 MEDIUM 8.8 HIGH
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.
CVE-2018-1000401 1 Jenkins 1 Aws Codepipeline 2019-10-03 2.1 LOW 7.8 HIGH
Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.
CVE-2018-1000114 1 Jenkins 1 Promoted Builds 2019-10-03 4.0 MEDIUM 4.3 MEDIUM
An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform promotions.
CVE-2018-1999044 1 Jenkins 1 Jenkins 2019-10-03 4.0 MEDIUM 6.5 MEDIUM
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-1000152 1 Jenkins 1 Vsphere 2019-10-03 6.5 MEDIUM 6.3 MEDIUM
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").
CVE-2018-1000107 1 Jenkins 1 Job And Node Ownership 2019-10-03 4.0 MEDIUM 6.5 MEDIUM
An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without Ownership related permissions to override ownership metadata.