Total
246 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-2231 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. | |||||
CVE-2020-2221 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. | |||||
CVE-2020-2222 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability. | |||||
CVE-2012-0785 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack." | |||||
CVE-2020-2103 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 4.0 MEDIUM | 5.4 MEDIUM |
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page. | |||||
CVE-2020-2100 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 5.0 MEDIUM | 5.8 MEDIUM |
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848. | |||||
CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | |||||
CVE-2012-4441 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin. | |||||
CVE-2012-4440 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin. | |||||
CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | |||||
CVE-2012-4438 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code. | |||||
CVE-2020-2101 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.3 MEDIUM |
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret. | |||||
CVE-2020-2105 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 4.3 MEDIUM | 5.4 MEDIUM |
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. | |||||
CVE-2019-10403 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | |||||
CVE-2019-10402 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | |||||
CVE-2019-10401 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | |||||
CVE-2012-4439 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins. | |||||
CVE-2020-2104 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. | |||||
CVE-2020-2099 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 7.5 HIGH | 8.6 HIGH |
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents. | |||||
CVE-2019-10406 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. |