Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1331 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1000151 1 Jenkins 1 Vsphere 2018-05-15 6.8 MEDIUM 5.6 MEDIUM
A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default.
CVE-2018-1000144 1 Jenkins 1 Cucumber Living Documentation 2018-05-15 4.3 MEDIUM 6.1 MEDIUM
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users.
CVE-2018-1000113 1 Jenkins 1 Testlink 2018-04-04 3.5 LOW 5.4 MEDIUM
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
CVE-2018-1000108 1 Jenkins 1 Cppncss 2018-04-04 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.
CVE-2018-1000054 1 Jenkins 1 Ccm 2018-03-13 6.5 MEDIUM 8.3 HIGH
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2018-1000058 1 Jenkins 1 Pipeline Supporting Apis 2018-03-06 6.5 MEDIUM 8.8 HIGH
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
CVE-2018-1000056 1 Jenkins 1 Junit 2018-03-06 6.5 MEDIUM 8.3 HIGH
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2018-1000055 1 Jenkins 1 Android Lint 2018-03-06 6.5 MEDIUM 8.3 HIGH
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2017-1000354 1 Jenkins 1 Jenkins 2018-02-15 6.5 MEDIUM 8.8 HIGH
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
CVE-2017-1000356 1 Jenkins 1 Jenkins 2018-02-15 6.8 MEDIUM 8.8 HIGH
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.
CVE-2017-1000355 1 Jenkins 1 Jenkins 2018-02-15 4.0 MEDIUM 6.5 MEDIUM
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
CVE-2017-1000502 1 Jenkins 1 Ec2 2018-02-12 9.0 HIGH 8.8 HIGH
Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators.
CVE-2017-1000503 1 Jenkins 1 Jenkins 2018-02-12 6.8 MEDIUM 8.1 HIGH
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.
CVE-2017-1000389 1 Jenkins 1 Global-build-stats 2018-02-12 4.3 MEDIUM 6.1 MEDIUM
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
CVE-2017-1000505 1 Jenkins 1 Script Security 2018-02-09 4.0 MEDIUM 6.5 MEDIUM
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval.
CVE-2017-1000404 1 Jenkins 1 Delivery Pipeline 2018-02-08 4.3 MEDIUM 6.1 MEDIUM
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.
CVE-2017-1000402 1 Jenkins 1 Swarm 2018-02-08 4.3 MEDIUM 5.9 MEDIUM
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
CVE-2017-1000397 1 Jenkins 1 Maven 2018-02-08 4.3 MEDIUM 5.9 MEDIUM
Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.
CVE-2018-1000014 1 Jenkins 1 Translation Assistance 2018-02-07 6.8 MEDIUM 8.8 HIGH
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
CVE-2018-1000013 1 Jenkins 1 Release 2018-02-07 6.8 MEDIUM 8.8 HIGH
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.