Filtered by vendor Jenkins
Subscribe
Total
1608 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-1999005 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
CVE-2018-1999004 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. | |||||
CVE-2018-1999003 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. | |||||
CVE-2018-1999002 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. | |||||
CVE-2018-1999001 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. | |||||
CVE-2018-1000997 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation. | |||||
CVE-2018-1000866 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | |||||
CVE-2018-1000865 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | |||||
CVE-2018-1000864 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | |||||
CVE-2018-1000863 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. | |||||
CVE-2018-1000862 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. | |||||
CVE-2018-1000861 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | |||||
CVE-2018-1000610 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to obtain the passwords configured using Configuration as Code Plugin. | |||||
CVE-2018-1000609 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. | |||||
CVE-2018-1000608 | 1 Jenkins | 1 Z\/os Connector | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. | |||||
CVE-2018-1000607 | 1 Jenkins | 1 Fortify Cloudscan | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as. | |||||
CVE-2018-1000606 | 1 Jenkins | 1 Urltrigger | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
CVE-2018-1000605 | 1 Jenkins | 1 Collabnet | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. | |||||
CVE-2018-1000604 | 1 Jenkins | 1 Badge | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
CVE-2018-1000603 | 1 Jenkins | 1 Openstack Cloud | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in BootSource.java, InstancesToRun.java, JCloudsCleanupThread.java, JCloudsCloud.java, JCloudsComputer.java, JCloudsPreCreationThread.java, JCloudsRetentionStrategy.java, JCloudsSlave.java, JCloudsSlaveTemplate.java, LauncherFactory.java, OpenstackCredentials.java, OpenStackMachineStep.java, SlaveOptions.java, SlaveOptionsDescriptor.java that allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs. |