Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Total 1605 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-1000104 1 Jenkins 1 Config File Provider 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files.
CVE-2017-1000107 1 Jenkins 1 Script Security 2024-02-28 6.5 MEDIUM 8.8 HIGH
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.
CVE-2014-9634 2 Apache, Jenkins 2 Tomcat, Jenkins 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
CVE-2017-1000110 1 Jenkins 1 Blue Ocean 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean.
CVE-2017-1000088 1 Jenkins 1 Sidebar Link 2024-02-28 3.5 LOW 5.4 MEDIUM
The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.
CVE-2017-1000103 1 Jenkins 1 Dry 2024-02-28 3.5 LOW 5.4 MEDIUM
The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.
CVE-2017-1000085 1 Jenkins 1 Subversion 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
CVE-2017-17383 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 4.7 MEDIUM
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
CVE-2017-1000105 1 Jenkins 1 Blue Ocean 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient.
CVE-2017-1000096 1 Jenkins 1 Pipeline\ 2024-02-28 6.5 MEDIUM 8.8 HIGH
Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
CVE-2017-1000242 1 Jenkins 1 Git Client 2024-02-28 2.1 LOW 3.3 LOW
Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure
CVE-2016-3101 1 Jenkins 1 Extra Columns 2024-02-28 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter.
CVE-2016-4986 1 Jenkins 1 Tap 2024-02-28 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter.
CVE-2016-4988 1 Jenkins 1 Build Failure Analyzer 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
CVE-2016-3102 1 Jenkins 1 Script Security 2024-02-28 7.5 HIGH 7.3 HIGH
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
CVE-2016-9299 2 Fedoraproject, Jenkins 2 Fedora, Jenkins 2024-02-28 7.5 HIGH 9.8 CRITICAL
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
CVE-2016-4987 1 Jenkins 1 Image Gallery 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields.
CVE-2015-5319 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-02-28 5.0 MEDIUM N/A
XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.
CVE-2014-3665 1 Jenkins 1 Jenkins 2024-02-28 6.8 MEDIUM N/A
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.
CVE-2016-0789 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.