Filtered by vendor Jenkins
Subscribe
Total
1608 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-2598 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | |||||
CVE-2017-17383 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.7 MEDIUM |
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. | |||||
CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | |||||
CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | |||||
CVE-2017-1000503 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. | |||||
CVE-2017-1000502 | 1 Jenkins | 1 Ec2 | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators. | |||||
CVE-2017-1000404 | 1 Jenkins | 1 Delivery Pipeline | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. | |||||
CVE-2017-1000403 | 1 Jenkins | 1 Speaks\! | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts. | |||||
CVE-2017-1000402 | 1 Jenkins | 1 Swarm | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | |||||
CVE-2017-1000401 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 1.2 LOW | 2.2 LOW |
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged. | |||||
CVE-2017-1000400 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to. | |||||
CVE-2017-1000399 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to. | |||||
CVE-2017-1000398 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks. | |||||
CVE-2017-1000397 | 1 Jenkins | 1 Maven | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient. | |||||
CVE-2017-1000396 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. | |||||
CVE-2017-1000395 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator. | |||||
CVE-2017-1000394 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins. | |||||
CVE-2017-1000393 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators. | |||||
CVE-2017-1000392 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. | |||||
CVE-2017-1000391 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.9 MEDIUM | 7.3 HIGH |
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files. |