Filtered by vendor Jenkins
Subscribe
Total
1744 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000054 | 1 Jenkins | 1 Ccm | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
|
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2018-1000015 | 1 Jenkins | 1 Pipeline Nodes And Processes | 2024-11-21 | 4.9 MEDIUM | 4.8 MEDIUM |
|
On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier.
|
|||||
| CVE-2018-1000014 | 1 Jenkins | 1 Translation Assistance | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
|
|||||
| CVE-2018-1000013 | 1 Jenkins | 1 Release | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
|
|||||
| CVE-2018-1000012 | 1 Jenkins | 1 Warnings | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2018-1000011 | 1 Jenkins | 1 Findbugs | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2018-1000010 | 1 Jenkins | 1 Dry | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2018-1000009 | 1 Jenkins | 1 Checkstyle | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2018-1000008 | 1 Jenkins | 1 Pmd | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2017-2654 | 1 Jenkins | 1 Email Extension | 2024-11-21 | 5.0 MEDIUM | 3.7 LOW |
|
jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email ...
Show More |
|||||
| CVE-2017-2652 | 1 Jenkins | 1 Distributed Fork | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.
|
|||||
| CVE-2017-2651 | 1 Jenkins | 1 Mailer | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
|
jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
|
|||||
| CVE-2017-2650 | 1 Jenkins | 1 Pipeline Classpath Step | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
|
It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.
|
|||||
| CVE-2017-2649 | 1 Jenkins | 1 Active Directory | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
|
|||||
| CVE-2017-2648 | 1 Jenkins | 1 Ssh Slaves | 2024-11-21 | 6.8 MEDIUM | 6.8 MEDIUM |
|
It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
|
|||||
| CVE-2017-2613 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).
|
|||||
| CVE-2017-2612 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
|
|||||
| CVE-2017-2611 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
|
|||||
| CVE-2017-2610 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
|
|||||
| CVE-2017-2609 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
|
|||||
| CVE-2017-2608 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
|
|||||
| CVE-2017-2607 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.2 MEDIUM |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs ...
Show More |
|||||
| CVE-2017-2606 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
|
|||||
| CVE-2017-2604 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
|
|||||
| CVE-2017-2603 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 2.6 LOW |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
|
|||||
| CVE-2017-2602 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
|
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).
|
|||||
| CVE-2017-2601 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
|
|||||
| CVE-2017-2600 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).
|
|||||
| CVE-2017-2599 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).
|
|||||
| CVE-2017-2598 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
|
|||||
| CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval.
|
|||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
|
|||||
| CVE-2017-1000503 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.
|
|||||
| CVE-2017-1000502 | 1 Jenkins | 1 Ec2 | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators.
|
|||||
| CVE-2017-1000404 | 1 Jenkins | 1 Delivery Pipeline | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.
|
|||||
| CVE-2017-1000403 | 1 Jenkins | 1 Speaks\! | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.
|
|||||
| CVE-2017-1000402 | 1 Jenkins | 1 Swarm | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
|
|||||
| CVE-2017-1000401 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 1.2 LOW | 2.2 LOW |
|
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.
|
|||||
| CVE-2017-1000400 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.
|
|||||
| CVE-2017-1000399 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.
|
|||||