Vulnerabilities (CVE)

Filtered by vendor Jenkins Subscribe
Filtered by product Jenkins
Total 248 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-1000401 1 Jenkins 1 Jenkins 2024-02-28 1.2 LOW 2.2 LOW
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.
CVE-2017-2604 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
CVE-2018-1000192 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
CVE-2017-2606 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
CVE-2017-1000395 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.
CVE-2017-1000504 1 Jenkins 1 Jenkins 2024-02-28 6.8 MEDIUM 8.1 HIGH
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
CVE-2017-2612 1 Jenkins 1 Jenkins 2024-02-28 5.5 MEDIUM 5.4 MEDIUM
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
CVE-2017-1000393 1 Jenkins 1 Jenkins 2024-02-28 9.0 HIGH 8.8 HIGH
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.
CVE-2017-1000391 1 Jenkins 1 Jenkins 2024-02-28 4.9 MEDIUM 7.3 HIGH
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.
CVE-2017-1000354 1 Jenkins 1 Jenkins 2024-02-28 6.5 MEDIUM 8.8 HIGH
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
CVE-2018-1000195 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
CVE-2018-6356 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
CVE-2017-2598 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
CVE-2017-1000356 1 Jenkins 1 Jenkins 2024-02-28 6.8 MEDIUM 8.8 HIGH
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.
CVE-2017-1000353 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-02-28 7.5 HIGH 9.8 CRITICAL
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
CVE-2017-1000355 1 Jenkins 1 Jenkins 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
CVE-2017-1000392 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 4.8 MEDIUM
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
CVE-2017-2601 1 Jenkins 1 Jenkins 2024-02-28 3.5 LOW 5.4 MEDIUM
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVE-2018-1000067 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
CVE-2018-1000169 1 Jenkins 1 Jenkins 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.