Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1331 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1000010 1 Jenkins 1 Dry 2018-02-07 6.5 MEDIUM 8.8 HIGH
Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2018-1000011 1 Jenkins 1 Findbugs 2018-02-07 6.5 MEDIUM 8.8 HIGH
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2018-1000012 1 Jenkins 1 Warnings 2018-02-07 6.5 MEDIUM 8.8 HIGH
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2018-1000009 1 Jenkins 1 Checkstyle 2018-02-07 6.5 MEDIUM 8.8 HIGH
Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2018-1000008 1 Jenkins 1 Pmd 2018-02-07 6.5 MEDIUM 8.8 HIGH
Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVE-2016-3722 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."
CVE-2016-3723 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
CVE-2016-3724 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.
CVE-2016-3725 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 5.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).
CVE-2016-0788 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 10.0 HIGH 9.8 CRITICAL
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
CVE-2016-3726 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 5.8 MEDIUM 7.4 HIGH
Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.
CVE-2016-3727 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 4.3 MEDIUM
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
CVE-2016-0789 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2016-0790 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.
CVE-2016-0791 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 7.5 HIGH 9.8 CRITICAL
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.
CVE-2016-0792 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 9.0 HIGH 8.8 HIGH
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
CVE-2016-3721 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.
CVE-2017-17383 1 Jenkins 1 Jenkins 2017-12-22 3.5 LOW 4.7 MEDIUM
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
CVE-2017-1000242 1 Jenkins 1 Git Client 2017-11-25 2.1 LOW 3.3 LOW
Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure
CVE-2017-1000085 1 Jenkins 1 Subversion 2017-11-02 4.3 MEDIUM 6.5 MEDIUM
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.