Filtered by vendor Jenkins
Subscriptions
Total
1603 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-1003051 | 1 Jenkins | 1 Irc | 2023-10-25 | 8.8 High |
| Jenkins IRC Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | ||||
| CVE-2019-1003050 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2023-10-25 | 5.4 Medium |
| The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. | ||||
| CVE-2019-1003049 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2023-10-25 | 8.1 High |
| Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. | ||||
| CVE-2019-1003048 | 1 Jenkins | 1 Prqa | 2023-10-25 | 7.8 High |
| A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration. | ||||
| CVE-2019-1003047 | 1 Jenkins | 1 Fortify On Demand Uploader | 2023-10-25 | 6.5 Medium |
| A missing permission check in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||||
| CVE-2019-1003046 | 1 Jenkins | 1 Fortify On Demand Uploader | 2023-10-25 | N/A |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server. | ||||
| CVE-2019-1003044 | 1 Jenkins | 1 Slack Notification | 2023-10-25 | N/A |
| A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2019-1003043 | 1 Jenkins | 1 Slack Notification | 2023-10-25 | 7.5 High |
| A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2019-1003042 | 1 Jenkins | 1 Lockable Resources | 2023-10-25 | N/A |
| A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. | ||||
| CVE-2019-1003041 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2023-10-25 | 9.8 Critical |
| A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | ||||
| CVE-2019-1003040 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2023-10-25 | 9.8 Critical |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | ||||
| CVE-2019-1003039 | 1 Jenkins | 1 Appdynamics | 2023-10-25 | 8.8 High |
| An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them. | ||||
| CVE-2019-1003038 | 1 Jenkins | 1 Repository Connector | 2023-10-25 | 7.8 High |
| An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration. | ||||
| CVE-2019-1003037 | 1 Jenkins | 1 Azure Vm Agents | 2023-10-25 | 6.5 Medium |
| An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2019-1003036 | 1 Jenkins | 1 Azure Vm Agents | 2023-10-25 | 4.3 Medium |
| A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent. | ||||
| CVE-2019-1003035 | 1 Jenkins | 1 Azure Vm Agents | 2023-10-25 | 4.3 Medium |
| An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration. | ||||
| CVE-2019-1003034 | 2 Jenkins, Redhat | 2 Job Dsl, Openshift Container Platform | 2023-10-25 | 9.9 Critical |
| A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM. | ||||
| CVE-2019-1003033 | 1 Jenkins | 1 Groovy | 2023-10-25 | 8.8 High |
| A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. | ||||
| CVE-2019-1003032 | 1 Jenkins | 1 Email Extension | 2023-10-25 | 9.9 Critical |
| A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. | ||||
| CVE-2019-1003031 | 2 Jenkins, Redhat | 2 Matrix Project, Openshift Container Platform | 2023-10-25 | 9.9 Critical |
| A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. | ||||