Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1608 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-1003014 2 Jenkins, Redhat 2 Config File Provider, Openshift Container Platform 2024-11-21 3.5 LOW 4.8 MEDIUM
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
CVE-2019-1003013 2 Jenkins, Redhat 2 Blue Ocean, Openshift Container Platform 2024-11-21 3.5 LOW 5.4 MEDIUM
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
CVE-2019-1003012 2 Jenkins, Redhat 2 Blue Ocean, Openshift Container Platform 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
CVE-2019-1003011 2 Jenkins, Redhat 2 Token Macro, Openshift Container Platform 2024-11-21 5.5 MEDIUM 8.1 HIGH
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.
CVE-2019-1003010 2 Jenkins, Redhat 2 Git, Openshift Container Platform 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
CVE-2019-1003009 1 Jenkins 1 Active Directory 2024-11-21 5.8 MEDIUM 7.4 HIGH
An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS.
CVE-2019-1003008 1 Jenkins 1 Warnings Next Generation 2024-11-21 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
CVE-2019-1003007 1 Jenkins 1 Warnings 2024-11-21 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
CVE-2019-1003006 1 Jenkins 1 Groovy 2024-11-21 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-1003005 1 Jenkins 1 Script Security 2024-11-21 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-1003004 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2024-11-21 6.5 MEDIUM 7.2 HIGH
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.
CVE-2019-1003003 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2024-11-21 6.5 MEDIUM 7.2 HIGH
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.
CVE-2019-1003002 2 Jenkins, Redhat 2 Pipeline\, Openshift Container Platform 2024-11-21 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-1003001 2 Jenkins, Redhat 2 Pipeline\, Openshift Container Platform 2024-11-21 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-1003000 2 Jenkins, Redhat 2 Script Security, Openshift Container Platform 2024-11-21 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.
CVE-2018-8718 1 Jenkins 1 Mailer 2024-11-21 6.0 MEDIUM 8.0 HIGH
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
CVE-2018-6356 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
CVE-2018-1999047 1 Jenkins 1 Jenkins 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.
CVE-2018-1999046 1 Jenkins 1 Jenkins 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.
CVE-2018-1999045 1 Jenkins 1 Jenkins 2024-11-21 5.5 MEDIUM 5.4 MEDIUM
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.