Search Results (Refine Search)
- Results Type: Overview
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2019-10450 |
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 3.3 LOW V2.0: 2.1 LOW |
CVE-2019-10449 |
Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 4.0 MEDIUM |
CVE-2019-10448 |
Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 4.0 MEDIUM |
CVE-2019-10447 |
Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-10446 |
Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 8.2 HIGH V2.0: 6.4 MEDIUM |
CVE-2019-10445 |
A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-10444 |
Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier unconditionally disabled SSL/TLS and hostname verification for connections to HP ALM. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 6.4 MEDIUM |
CVE-2019-10443 |
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 4.0 MEDIUM |
CVE-2019-10442 |
A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-10441 |
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-10440 |
Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. Published: October 16, 2019; 10:15:12 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 4.0 MEDIUM |
CVE-2019-10439 |
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. Published: October 16, 2019; 10:15:11 AM -0400 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-10438 |
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Published: October 16, 2019; 10:15:11 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-10437 |
A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Published: October 16, 2019; 10:15:11 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2019-10436 |
An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master. Published: October 16, 2019; 10:15:11 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-4031 |
IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a vulnerability that could allow a local user to write files as root in the file system, which could allow the attacker to gain root privileges. IBM X-Force ID: 155997. Published: October 16, 2019; 9:15:11 AM -0400 |
V4.0:(not available) V3.1: 7.8 HIGH V2.0: 7.2 HIGH |
CVE-2019-17627 |
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This affects the Yale ZEN-R lock and unspecified other locks. Published: October 16, 2019; 8:15:12 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 3.3 LOW |
CVE-2019-17626 |
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code. Published: October 16, 2019; 8:15:12 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-17625 |
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element. Published: October 16, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 9.0 CRITICAL V2.0: 8.5 HIGH |
CVE-2019-17624 |
"" In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact. Note: It is disputed if the X.Org X Server is involved or if there is a stack overflow. Published: October 16, 2019; 7:15:15 AM -0400 |
V4.0:(not available) V3.1: 7.8 HIGH V2.0: 4.6 MEDIUM |