Total
244 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-6356 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. | |||||
CVE-2017-2607 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. | |||||
CVE-2017-1000395 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator. | |||||
CVE-2017-2601 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. | |||||
CVE-2018-1000194 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. | |||||
CVE-2017-2603 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 3.5 LOW | 3.5 LOW |
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). | |||||
CVE-2018-1000192 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. | |||||
CVE-2017-1000355 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | |||||
CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | |||||
CVE-2017-1000354 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. | |||||
CVE-2017-1000392 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. | |||||
CVE-2017-1000393 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators. | |||||
CVE-2014-9635 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. | |||||
CVE-2017-17383 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 3.5 LOW | 4.7 MEDIUM |
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. | |||||
CVE-2017-1000362 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present. | |||||
CVE-2014-9634 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. | |||||
CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | |||||
CVE-2015-1808 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2023-12-10 | 3.5 LOW | N/A |
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. | |||||
CVE-2016-0791 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. | |||||
CVE-2015-1806 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2023-12-10 | 6.5 MEDIUM | N/A |
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors. |