Vulnerabilities (CVE)

Vendor filter

Jenkins Subscribe

Product filter

Jenkins Subscribe

Filter

141 total CVE
CVE Vendors Products Updated CVSS
CVE-2016-9299 2 Jenkins, Fedoraproject 2 Jenkins, Fedora 2019-05-22 7.5
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
CVE-2017-1000391 1 Jenkins 1 Jenkins 2019-05-08 4.9
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used...
CVE-2017-1000392 1 Jenkins 1 Jenkins 2019-05-08 3.5
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML...
CVE-2017-1000393 1 Jenkins 1 Jenkins 2019-05-08 9.0
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell...
CVE-2017-1000394 1 Jenkins 1 Jenkins 2019-05-08 5.0
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library...
CVE-2017-1000395 1 Jenkins 1 Jenkins 2019-05-08 4.0
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email...
CVE-2017-1000396 1 Jenkins 1 Jenkins 2019-05-08 4.3
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is...
CVE-2017-1000398 1 Jenkins 1 Jenkins 2019-05-08 4.0
The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise...
CVE-2017-1000399 1 Jenkins 1 Jenkins 2019-05-08 4.0
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no...
CVE-2017-1000400 1 Jenkins 1 Jenkins 2019-05-08 4.0
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to...
CVE-2017-1000401 1 Jenkins 1 Jenkins 2019-05-08 1.2
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets...
CVE-2017-1000504 1 Jenkins 1 Jenkins 2019-05-08 6.8
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer...
CVE-2018-1000407 1 Jenkins 1 Jenkins 2019-05-08 4.3
A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled...
CVE-2018-1000997 1 Jenkins 1 Jenkins 2019-05-08 4.0
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java,...
CVE-2018-1000864 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2019-05-08 4.0
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-1000863 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2019-05-08 6.4
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats,...
CVE-2018-1000862 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2019-05-08 4.0
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds...
CVE-2018-1000861 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2019-05-08 10.0
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java...
CVE-2018-1000410 1 Jenkins 1 Jenkins 2019-05-08 2.1
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java,...
CVE-2018-1000409 1 Jenkins 1 Jenkins 2019-05-08 5.8
A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new...