Filtered by vendor Jenkins
Subscribe
Total
1647 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000104 | 1 Jenkins | 1 Coverity | 2019-10-03 | 2.1 LOW | 7.8 HIGH |
| A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords. | |||||
| CVE-2018-1000105 | 1 Jenkins | 1 Gerrit Trigger | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to retrieve some configuration information about Gerrit in Jenkins. | |||||
| CVE-2018-1000608 | 1 Jenkins | 1 Z\/os Connector | 2019-10-03 | 4.0 MEDIUM | 7.2 HIGH |
| A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. | |||||
| CVE-2018-1000114 | 1 Jenkins | 1 Promoted Builds | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform promotions. | |||||
| CVE-2018-1999044 | 1 Jenkins | 1 Jenkins | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | |||||
| CVE-2017-1000089 | 1 Jenkins | 1 Pipeline\ | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. | |||||
| CVE-2017-1000245 | 1 Jenkins | 1 Ssh | 2019-10-03 | 5.0 MEDIUM | 9.8 CRITICAL |
| The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file. | |||||
| CVE-2018-1000112 | 1 Jenkins | 1 Mercurial | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users. | |||||
| CVE-2018-1000152 | 1 Jenkins | 1 Vsphere | 2019-10-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). | |||||
| CVE-2018-1000057 | 1 Jenkins | 1 Credentials Binding | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password. | |||||
| CVE-2017-1000084 | 1 Jenkins | 1 Parameterized Trigger | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. | |||||
| CVE-2017-1000095 | 1 Jenkins | 1 Script Security | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object). | |||||
| CVE-2017-1000387 | 1 Jenkins | 1 Build-publisher | 2019-10-03 | 2.1 LOW | 7.8 HIGH |
| Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations. | |||||
| CVE-2018-1000863 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2019-10-03 | 6.4 MEDIUM | 8.2 HIGH |
| A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. | |||||
| CVE-2018-1000107 | 1 Jenkins | 1 Job And Node Ownership | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without Ownership related permissions to override ownership metadata. | |||||
| CVE-2018-1000106 | 1 Jenkins | 1 Gerrit Trigger | 2019-10-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to modify the Gerrit configuration in Jenkins. | |||||
| CVE-2018-1000109 | 1 Jenkins | 1 Google-play-android-publisher | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. | |||||
| CVE-2017-1000403 | 1 Jenkins | 1 Speaks\! | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts. | |||||
| CVE-2018-1000110 | 1 Jenkins | 1 Git | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users. | |||||
| CVE-2018-1000865 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | |||||