Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-1003006 | 1 Jenkins | 1 Groovy | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | |||||
CVE-2018-1000412 | 1 Jenkins | 1 Jira | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2019-1003016 | 1 Jenkins | 1 Job Import | 2023-12-10 | 4.3 MEDIUM | 8.8 HIGH |
An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2019-1003017 | 1 Jenkins | 1 Job Import | 2023-12-10 | 2.6 LOW | 5.3 MEDIUM |
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration. | |||||
CVE-2018-1999031 | 1 Jenkins | 1 Meliora Testlab | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. | |||||
CVE-2018-1999034 | 1 Jenkins | 1 Inedo Proget | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugin 0.8 and earlier in ProGetApi.java, ProGetConfig.java, ProGetConfiguration.java that allows attackers to impersonate any service that Jenkins connects to. | |||||
CVE-2018-1999002 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. | |||||
CVE-2019-1003015 | 1 Jenkins | 1 Job Import | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc. | |||||
CVE-2018-1999027 | 1 Jenkins | 1 Saltstack | 2023-12-10 | 6.8 MEDIUM | 7.5 HIGH |
An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
CVE-2019-1003027 | 1 Jenkins | 1 Octopusdeploy | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise. | |||||
CVE-2018-1000862 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. | |||||
CVE-2018-1999037 | 1 Jenkins | 1 Resource Disposer | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource. | |||||
CVE-2018-1999001 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 4.3 MEDIUM | 8.8 HIGH |
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. | |||||
CVE-2018-1000866 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | |||||
CVE-2019-1003008 | 1 Jenkins | 1 Warnings Next Generation | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint. | |||||
CVE-2019-1003019 | 1 Jenkins | 1 Github Oauth | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |||||
CVE-2018-1000406 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. | |||||
CVE-2018-1999004 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. | |||||
CVE-2017-2649 | 1 Jenkins | 1 Active Directory | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. | |||||
CVE-2019-1003004 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time. |