U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:jenkins:jenkins:1.360:*:*:*:-:*:*:*
  • CPE Name Search: true
There are 233 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2018-1999001

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Published: July 23, 2018; 3:29:00 PM -0400
V4.0:(not available)
V3.1: 8.8 HIGH
V2.0: 4.3 MEDIUM
CVE-2018-1000195

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Published: June 05, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-1000194

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Published: June 05, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.1: 8.1 HIGH
V2.0: 5.5 MEDIUM
CVE-2018-1000193

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Published: June 05, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-1000192

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Published: June 05, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2598

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

Published: May 23, 2018; 9:29:00 AM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2609

jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.

Published: May 22, 2018; 1:29:00 PM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2607

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

Published: May 21, 2018; 7:29:00 PM -0400
V4.0:(not available)
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2017-2613

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

Published: May 15, 2018; 6:29:00 PM -0400
V4.0:(not available)
V3.0: 5.4 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2017-2610

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).

Published: May 15, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2017-2604

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

Published: May 15, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2603

Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).

Published: May 15, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.0: 3.5 LOW
V2.0: 3.5 LOW
CVE-2017-2602

jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).

Published: May 15, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2612

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.

Published: May 15, 2018; 4:29:00 PM -0400
V4.0:(not available)
V3.0: 5.4 MEDIUM
V2.0: 5.5 MEDIUM
CVE-2017-2608

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Published: May 15, 2018; 4:29:00 PM -0400
V4.0:(not available)
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-2600

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

Published: May 15, 2018; 4:29:00 PM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2601

Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

Published: May 10, 2018; 9:29:00 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2017-2606

Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

Published: May 08, 2018; 4:29:00 PM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2611

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

Published: May 08, 2018; 2:29:00 PM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-1000170

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Published: April 16, 2018; 5:58:09 AM -0400
V4.0:(not available)
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW