Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000142 | 1 Jenkins | 1 Github Pull Request Builder | 2018-05-15 | 2.1 LOW | 7.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. | |||||
| CVE-2018-1000143 | 1 Jenkins | 1 Github Pull Request Builder | 2018-05-15 | 2.1 LOW | 6.7 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. | |||||
| CVE-2018-1000150 | 1 Jenkins | 1 Reverse Proxy Auth | 2018-05-15 | 2.1 LOW | 3.3 LOW |
| An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in users. | |||||
| CVE-2018-1000151 | 1 Jenkins | 1 Vsphere | 2018-05-15 | 6.8 MEDIUM | 5.6 MEDIUM |
| A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. | |||||
| CVE-2018-1000144 | 1 Jenkins | 1 Cucumber Living Documentation | 2018-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. | |||||
| CVE-2018-1000113 | 1 Jenkins | 1 Testlink | 2018-04-04 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript | |||||
| CVE-2018-1000108 | 1 Jenkins | 1 Cppncss | 2018-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed. | |||||
| CVE-2018-1000054 | 1 Jenkins | 1 Ccm | 2018-03-13 | 6.5 MEDIUM | 8.3 HIGH |
| Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2018-1000058 | 1 Jenkins | 1 Pipeline Supporting Apis | 2018-03-06 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. | |||||
| CVE-2018-1000056 | 1 Jenkins | 1 Junit | 2018-03-06 | 6.5 MEDIUM | 8.3 HIGH |
| Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2018-1000055 | 1 Jenkins | 1 Android Lint | 2018-03-06 | 6.5 MEDIUM | 8.3 HIGH |
| Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2017-1000354 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. | |||||
| CVE-2017-1000356 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | |||||
| CVE-2017-1000355 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | |||||
| CVE-2017-1000502 | 1 Jenkins | 1 Ec2 | 2018-02-12 | 9.0 HIGH | 8.8 HIGH |
| Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators. | |||||
| CVE-2017-1000503 | 1 Jenkins | 1 Jenkins | 2018-02-12 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. | |||||
| CVE-2017-1000389 | 1 Jenkins | 1 Global-build-stats | 2018-02-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability. | |||||
| CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2018-02-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | |||||
| CVE-2017-1000404 | 1 Jenkins | 1 Delivery Pipeline | 2018-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. | |||||
| CVE-2017-1000402 | 1 Jenkins | 1 Swarm | 2018-02-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | |||||