Filtered by vendor Jenkins
Subscribe
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-1000013 | 1 Jenkins | 1 Release | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. | |||||
CVE-2018-1000600 | 1 Jenkins | 1 Github | 2023-12-10 | 4.3 MEDIUM | 8.8 HIGH |
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2017-1000353 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. | |||||
CVE-2018-1000175 | 1 Jenkins | 1 Html Publisher | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override arbitrary files on the Jenkins master. | |||||
CVE-2018-1000601 | 1 Jenkins | 1 Ssh Credentials | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system. | |||||
CVE-2018-1000185 | 1 Jenkins | 1 Github Branch Source | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
CVE-2018-1000606 | 1 Jenkins | 1 Urltrigger | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
CVE-2017-1000402 | 1 Jenkins | 1 Swarm | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | |||||
CVE-2018-1000067 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. | |||||
CVE-2017-1000389 | 1 Jenkins | 1 Global-build-stats | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability. | |||||
CVE-2018-1000068 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. | |||||
CVE-2018-1000143 | 1 Jenkins | 1 Github Pull Request Builder | 2023-12-10 | 2.1 LOW | 6.7 MEDIUM |
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. | |||||
CVE-2018-1000150 | 1 Jenkins | 1 Reverse Proxy Auth | 2023-12-10 | 2.1 LOW | 3.3 LOW |
An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in users. | |||||
CVE-2018-1000146 | 1 Jenkins | 1 Liquibase Runner | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM. | |||||
CVE-2018-1000170 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
CVE-2018-1000149 | 1 Jenkins | 1 Ansible | 2023-12-10 | 6.8 MEDIUM | 5.6 MEDIUM |
A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. | |||||
CVE-2018-1000195 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. | |||||
CVE-2018-1000182 | 1 Jenkins | 1 Git | 2023-12-10 | 5.5 MEDIUM | 6.4 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
CVE-2017-2599 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). | |||||
CVE-2018-1000610 | 1 Jenkins | 1 Configuration As Code | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to obtain the passwords configured using Configuration as Code Plugin. |