Filtered by vendor Jenkins
Subscriptions
Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2018-1000406 | 1 Jenkins | 1 Jenkins | 2019-05-08 | N/A |
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. | ||||
CVE-2018-1000170 | 1 Jenkins | 1 Jenkins | 2019-05-08 | N/A |
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. | ||||
CVE-2018-8718 | 1 Jenkins | 1 Mailer | 2019-03-04 | N/A |
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. | ||||
CVE-2018-1000411 | 1 Jenkins | 1 Junit | 2019-01-28 | N/A |
A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. | ||||
CVE-2018-1000417 | 1 Jenkins | 1 Email Extension Template | 2019-01-22 | N/A |
A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates. | ||||
CVE-2018-1000414 | 1 Jenkins | 1 Config File Provider | 2019-01-22 | N/A |
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions. | ||||
CVE-2012-0324 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | N/A |
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325. | ||||
CVE-2012-6072 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | N/A |
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | ||||
CVE-2013-0158 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | N/A |
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors. | ||||
CVE-2012-6073 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | N/A |
Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||||
CVE-2012-0325 | 2 Cloudbees, Jenkins | 2 Jenkins, Jenkins | 2018-10-30 | N/A |
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324. | ||||
CVE-2018-1999026 | 1 Jenkins | 1 Tracetronic Ecu-test | 2018-10-04 | N/A |
A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host. | ||||
CVE-2018-1000402 | 1 Jenkins | 1 Aws Codedeploy | 2018-09-10 | N/A |
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later. | ||||
CVE-2018-1000173 | 1 Jenkins | 1 Google Login | 2018-06-13 | N/A |
A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | ||||
CVE-2018-1000174 | 1 Jenkins | 1 Google Login | 2018-06-13 | N/A |
An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. | ||||
CVE-2018-1000054 | 1 Jenkins | 1 Ccm | 2018-03-13 | N/A |
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | ||||
CVE-2018-1000058 | 1 Jenkins | 1 Pipeline Supporting Apis | 2018-03-06 | N/A |
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. | ||||
CVE-2018-1000056 | 1 Jenkins | 1 Junit | 2018-03-06 | N/A |
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | ||||
CVE-2018-1000055 | 1 Jenkins | 1 Android Lint | 2018-03-06 | N/A |
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | ||||
CVE-2017-1000354 | 1 Jenkins | 1 Jenkins | 2018-02-15 | N/A |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. |