Filtered by vendor Jenkins
Subscribe
Total
1744 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000186 | 1 Jenkins | 1 Github Pull Request Builder | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2018-1000185 | 1 Jenkins | 1 Github Branch Source | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
|
|||||
| CVE-2018-1000184 | 1 Jenkins | 1 Github | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
|
|||||
| CVE-2018-1000183 | 1 Jenkins | 1 Github | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2018-1000182 | 1 Jenkins | 1 Git | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
|
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
|
|||||
| CVE-2018-1000177 | 1 Jenkins | 1 S3 Publisher | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.
|
|||||
| CVE-2018-1000176 | 1 Jenkins | 1 Email Extension | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.
|
|||||
| CVE-2018-1000175 | 1 Jenkins | 1 Html Publisher | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override arbitrary files on the Jenkins master.
|
|||||
| CVE-2018-1000174 | 1 Jenkins | 1 Google Login | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login.
|
|||||
| CVE-2018-1000173 | 1 Jenkins | 1 Google Login | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
|
|||||
| CVE-2018-1000170 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.
|
|||||
| CVE-2018-1000169 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.
|
|||||
| CVE-2018-1000153 | 1 Jenkins | 1 Vsphere | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSla ...
Show More |
|||||
| CVE-2018-1000152 | 1 Jenkins | 1 Vsphere | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave. ...
Show More |
|||||
| CVE-2018-1000151 | 1 Jenkins | 1 Vsphere | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
|
A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default.
|
|||||
| CVE-2018-1000150 | 1 Jenkins | 1 Reverse Proxy Auth | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in users.
|
|||||
| CVE-2018-1000149 | 1 Jenkins | 1 Ansible | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
|
A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default.
|
|||||
| CVE-2018-1000148 | 1 Jenkins | 1 Copy To Slave | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An exposure of sensitive information vulnerability exists in Jenkins Copy To Slave Plugin version 1.4.4 and older in CopyToSlaveBuildWrapper.java that allows attackers with permission to configure jobs to read arbitrary files from the Jenkins master file system.
|
|||||
| CVE-2018-1000146 | 1 Jenkins | 1 Liquibase Runner | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.
|
|||||
| CVE-2018-1000145 | 1 Jenkins | 1 Perforce | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
|
An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to obtain encrypted Perforce passwords and decrypt them.
|
|||||
| CVE-2018-1000144 | 1 Jenkins | 1 Cucumber Living Documentation | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users.
|
|||||
| CVE-2018-1000143 | 1 Jenkins | 1 Github Pull Request Builder | 2024-11-21 | 2.1 LOW | 6.7 MEDIUM |
|
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
|
|||||
| CVE-2018-1000142 | 1 Jenkins | 1 Github Pull Request Builder | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
|
|||||
| CVE-2018-1000114 | 1 Jenkins | 1 Promoted Builds | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform promotions.
|
|||||
| CVE-2018-1000113 | 1 Jenkins | 1 Testlink | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
|
|||||
| CVE-2018-1000112 | 1 Jenkins | 1 Mercurial | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users.
|
|||||
| CVE-2018-1000111 | 1 Jenkins | 1 Subversion | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users.
|
|||||
| CVE-2018-1000110 | 1 Jenkins | 1 Git | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.
|
|||||
| CVE-2018-1000109 | 1 Jenkins | 1 Google-play-android-publisher | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs.
|
|||||
| CVE-2018-1000108 | 1 Jenkins | 1 Cppncss | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.
|
|||||
| CVE-2018-1000107 | 1 Jenkins | 1 Job And Node Ownership | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without Ownership related permissions to override ownership metadata.
|
|||||
| CVE-2018-1000106 | 1 Jenkins | 1 Gerrit Trigger | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to modify the Gerrit configuration in Jenkins.
|
|||||
| CVE-2018-1000105 | 1 Jenkins | 1 Gerrit Trigger | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to retrieve some configuration information about Gerrit in Jenkins.
|
|||||
| CVE-2018-1000104 | 1 Jenkins | 1 Coverity | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords.
|
|||||
| CVE-2018-1000068 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
|
|||||
| CVE-2018-1000067 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
|
|||||
| CVE-2018-1000058 | 1 Jenkins | 1 Pipeline Supporting Apis | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
|
|||||
| CVE-2018-1000057 | 1 Jenkins | 1 Credentials Binding | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.
|
|||||
| CVE-2018-1000056 | 1 Jenkins | 1 Junit | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
|
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2018-1000055 | 1 Jenkins | 1 Android Lint | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
|
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||