Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-10332 | 1 Jenkins | 1 Electricflow | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials. | |||||
CVE-2019-10310 | 1 Jenkins | 1 Ansible Tower | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins | |||||
CVE-2019-1003056 | 1 Jenkins | 1 Websphere Deployer | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
CVE-2019-10393 | 1 Jenkins | 1 Script Security | 2023-12-10 | 4.9 MEDIUM | 4.2 MEDIUM |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
CVE-2019-1003053 | 1 Jenkins | 1 Hockeyapp | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
Jenkins HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
CVE-2019-1003077 | 1 Jenkins | 1 Audit To Database | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
CVE-2019-10334 | 1 Jenkins | 1 Electricflow | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files. | |||||
CVE-2019-1003090 | 1 Jenkins | 1 Soasta Cloudtest | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
CVE-2019-1003084 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
CVE-2019-1003035 | 1 Jenkins | 1 Azure Vm Agents | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration. | |||||
CVE-2019-10305 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
CVE-2019-10363 | 1 Jenkins | 1 Configuration As Code | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form. | |||||
CVE-2019-10346 | 1 Jenkins | 1 Embeddable Build Status | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin. | |||||
CVE-2019-10312 | 1 Jenkins | 1 Ansible Tower | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | |||||
CVE-2019-10331 | 1 Jenkins | 1 Electricflow | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
CVE-2019-1003005 | 1 Jenkins | 1 Script Security | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | |||||
CVE-2018-1999003 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. | |||||
CVE-2019-1003023 | 1 Jenkins | 1 Warnings Next Generation | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML. | |||||
CVE-2019-1003013 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift Container Platform | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. | |||||
CVE-2018-1999046 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. |