CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2019-10474 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.
802 CVE-2019-10473 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
803 CVE-2019-10472 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
804 CVE-2019-10471 352 CSRF 2019-10-23 2019-10-24
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
805 CVE-2019-10470 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
806 CVE-2019-10469 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
807 CVE-2019-10468 352 CSRF 2019-10-23 2019-10-24
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
808 CVE-2019-10467 522 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
809 CVE-2019-10466 611 2019-10-23 2019-10-25
5.5
None Remote Low ??? Partial None Partial
An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
810 CVE-2019-10465 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.
811 CVE-2019-10464 352 CSRF 2019-10-23 2019-10-24
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.
812 CVE-2019-10463 276 2019-10-23 2019-10-25
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
813 CVE-2019-10462 352 CSRF 2019-10-23 2019-10-25
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
814 CVE-2019-10461 522 2019-10-23 2019-10-24
2.1
None Local Low Not required Partial None None
Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
815 CVE-2019-10460 522 2019-10-23 2019-10-24
2.1
None Local Low Not required Partial None None
Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
816 CVE-2019-10459 522 2019-10-23 2019-10-25
4.0
None Remote Low ??? Partial None None
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
817 CVE-2019-10458 Exec Code 2019-10-16 2021-10-29
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
818 CVE-2019-10457 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
819 CVE-2019-10456 352 CSRF 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
820 CVE-2019-10455 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
821 CVE-2019-10454 352 CSRF 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
822 CVE-2019-10453 312 2019-10-16 2019-10-18
2.1
None Local Low Not required Partial None None
Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
823 CVE-2019-10452 312 2019-10-16 2019-10-18
4.0
None Remote Low ??? Partial None None
Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
824 CVE-2019-10451 312 2019-10-16 2019-10-22
4.0
None Remote Low ??? Partial None None
Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
825 CVE-2019-10450 312 2019-10-16 2019-10-18
2.1
None Local Low Not required Partial None None
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
826 CVE-2019-10449 312 2019-10-16 2019-10-18
4.0
None Remote Low ??? Partial None None
Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
827 CVE-2019-10448 522 2019-10-16 2019-10-18
4.0
None Remote Low ??? Partial None None
Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
828 CVE-2019-10447 312 2019-10-16 2019-10-20
4.0
None Remote Low ??? Partial None None
Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
829 CVE-2019-10446 295 2019-10-16 2019-10-18
6.4
None Remote Low Not required Partial Partial None
Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.
830 CVE-2019-10445 862 +Info 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.
831 CVE-2019-10444 295 2019-10-16 2019-10-18
6.4
None Remote Low Not required Partial Partial None
Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier unconditionally disabled SSL/TLS and hostname verification for connections to HP ALM.
832 CVE-2019-10443 312 2019-10-16 2019-10-30
4.0
None Remote Low ??? Partial None None
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
833 CVE-2019-10442 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
834 CVE-2019-10441 352 CSRF 2019-10-16 2019-10-21
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
835 CVE-2019-10440 312 2019-10-16 2019-10-30
4.0
None Remote Low ??? Partial None None
Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
836 CVE-2019-10439 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
837 CVE-2019-10438 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
838 CVE-2019-10437 352 CSRF 2019-10-16 2019-10-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
839 CVE-2019-10436 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master.
840 CVE-2019-10435 319 2019-10-01 2019-10-09
5.0
None Remote Low Not required Partial None None
Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
841 CVE-2019-10434 319 2019-10-01 2019-10-09
5.0
None Remote Low Not required Partial None None
Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
842 CVE-2019-10433 256 2019-10-01 2021-08-19
2.1
None Local Low Not required Partial None None
Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
843 CVE-2019-10432 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
844 CVE-2019-10431 94 Exec Code Bypass 2019-10-01 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.
845 CVE-2019-10215 79 Exec Code XSS 2019-10-08 2020-07-28
4.3
None Remote Medium Not required None Partial None
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
846 CVE-2019-10212 532 2019-10-02 2019-10-09
4.3
None Remote Medium Not required Partial None None
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.
847 CVE-2019-10211 2019-10-29 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory.
848 CVE-2019-10210 522 2019-10-29 2021-10-28
1.9
None Local Medium Not required Partial None None
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file.
849 CVE-2019-10209 125 2019-10-29 2020-10-01
3.5
None Remote Medium ??? Partial None None
Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.
850 CVE-2019-10208 89 Sql 2019-10-29 2020-08-17
6.5
None Remote Low ??? Partial Partial Partial
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
Total number of vulnerabilities : 1567   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 (This Page)18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.