Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Filtered by product Jenkins
Total 210 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-2601 1 Jenkins 1 Jenkins 2022-06-23 3.5 LOW 5.4 MEDIUM
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVE-2018-1000067 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 5.0 MEDIUM 5.3 MEDIUM
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
CVE-2018-6356 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
CVE-2018-1000068 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 5.0 MEDIUM 5.3 MEDIUM
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
CVE-2017-1000353 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 7.5 HIGH 9.8 CRITICAL
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
CVE-2018-1000192 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.0 MEDIUM 4.3 MEDIUM
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
CVE-2018-1999001 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.3 MEDIUM 8.8 HIGH
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
CVE-2018-1000194 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 5.5 MEDIUM 8.1 HIGH
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
CVE-2018-1000195 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.3 MEDIUM 4.3 MEDIUM
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
CVE-2018-1000193 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.0 MEDIUM 4.3 MEDIUM
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
CVE-2018-1999002 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 5.0 MEDIUM 7.5 HIGH
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
CVE-2018-1999003 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.0 MEDIUM 4.3 MEDIUM
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.
CVE-2018-1999007 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 3.5 LOW 5.4 MEDIUM
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.
CVE-2018-1999005 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 3.5 LOW 5.4 MEDIUM
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
CVE-2018-1999004 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 4.0 MEDIUM 4.3 MEDIUM
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.
CVE-2018-1000861 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2022-06-13 10.0 HIGH 9.8 CRITICAL
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
CVE-2019-1003050 3 Jenkins, Oracle, Redhat 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform 2022-06-13 3.5 LOW 5.4 MEDIUM
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
CVE-2019-10384 3 Jenkins, Oracle, Redhat 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform 2022-06-13 6.8 MEDIUM 8.8 HIGH
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CVE-2019-10383 3 Jenkins, Oracle, Redhat 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform 2022-06-13 3.5 LOW 4.8 MEDIUM
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
CVE-2019-1003049 3 Jenkins, Oracle, Redhat 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform 2022-06-13 6.8 MEDIUM 8.1 HIGH
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.