National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:jenkins:jenkins:1.480.2::~~lts~~~
There are 132 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-1003050

The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

Published: April 10, 2019; 05:29:01 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2019-1003049

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Published: April 10, 2019; 05:29:01 PM -04:00
V3: 8.1 HIGH
V2: 6.8 MEDIUM
CVE-2018-1000997

A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.

Published: January 23, 2019; 05:29:00 PM -05:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-1003004

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.

Published: January 22, 2019; 09:29:00 AM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2019-1003003

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

Published: January 22, 2019; 09:29:00 AM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-1000410

An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.

Published: January 09, 2019; 06:29:02 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2018-1000409

A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account.

Published: January 09, 2019; 06:29:02 PM -05:00
V3: 5.4 MEDIUM
V2: 5.8 MEDIUM
CVE-2018-1000408

A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.

Published: January 09, 2019; 06:29:02 PM -05:00
V3: 6.5 MEDIUM
V2: 6.4 MEDIUM
CVE-2018-1000407

A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins.

Published: January 09, 2019; 06:29:02 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-1000406

A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

Published: January 09, 2019; 06:29:02 PM -05:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-1000864

A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Published: December 10, 2018; 09:29:01 AM -05:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-1000863

A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.

Published: December 10, 2018; 09:29:01 AM -05:00
V3: 8.2 HIGH
V2: 6.4 MEDIUM
CVE-2018-1000862

An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.

Published: December 10, 2018; 09:29:01 AM -05:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-1000861

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Published: December 10, 2018; 09:29:01 AM -05:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2018-1999047

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Published: August 23, 2018; 02:29:01 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-1999046

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Published: August 23, 2018; 02:29:00 PM -04:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-1999045

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Published: August 23, 2018; 02:29:00 PM -04:00
V3: 5.4 MEDIUM
V2: 5.5 MEDIUM
CVE-2018-1999044

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Published: August 23, 2018; 02:29:00 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-1999043

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Published: August 23, 2018; 02:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-1999042

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Published: August 23, 2018; 02:29:00 PM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM