Search Results (Refine Search)
- CPE Product Version: cpe:/a:jenkins:jenkins:1.419::~~lts~~~
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2018-1000407 |
A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. Published: January 09, 2019; 6:29:02 PM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-1000406 |
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. Published: January 09, 2019; 6:29:02 PM -0500 |
V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000864 |
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000863 |
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 8.2 HIGH V2.0: 6.4 MEDIUM |
CVE-2018-1000862 |
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000861 |
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2018-1999047 |
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. Published: August 23, 2018; 2:29:01 PM -0400 |
V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1999046 |
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. Published: August 23, 2018; 2:29:00 PM -0400 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1999045 |
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. Published: August 23, 2018; 2:29:00 PM -0400 |
V3.0: 5.4 MEDIUM V2.0: 5.5 MEDIUM |
CVE-2018-1999044 |
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. Published: August 23, 2018; 2:29:00 PM -0400 |
V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1999043 |
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials. Published: August 23, 2018; 2:29:00 PM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-1999042 |
A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. Published: August 23, 2018; 2:29:00 PM -0400 |
V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2018-1999006 |
A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. Published: July 23, 2018; 3:29:00 PM -0400 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000195 |
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. Published: June 05, 2018; 5:29:00 PM -0400 |
V3.1: 4.3 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-1000194 |
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. Published: June 05, 2018; 5:29:00 PM -0400 |
V3.1: 8.1 HIGH V2.0: 5.5 MEDIUM |
CVE-2018-1000193 |
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. Published: June 05, 2018; 5:29:00 PM -0400 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000192 |
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. Published: June 05, 2018; 5:29:00 PM -0400 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2017-2598 |
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). Published: May 23, 2018; 9:29:00 AM -0400 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2017-2609 |
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. Published: May 22, 2018; 1:29:00 PM -0400 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2017-2607 |
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. Published: May 21, 2018; 7:29:00 PM -0400 |
V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |