CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2019-1003023 79 XSS 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML.
202 CVE-2019-1003022 352 DoS 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None None Partial
A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.
203 CVE-2019-1003021 200 +Info 2019-02-06 2019-10-09
4.3
None Remote Medium Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
204 CVE-2019-1003020 918 2019-02-06 2019-10-09
4.0
None Remote Low ??? None Partial None
A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL.
205 CVE-2019-1003019 384 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None Partial None
An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
206 CVE-2019-1003018 200 +Info 2019-02-06 2019-10-09
4.3
None Remote Medium Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
207 CVE-2019-1003016 352 +Info 2019-02-06 2019-10-09
4.3
None Remote Medium Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
208 CVE-2019-1003012 352 Bypass CSRF 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None Partial None
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
209 CVE-2019-1003010 352 CSRF 2019-02-06 2019-04-26
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
210 CVE-2019-16576 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins.
211 CVE-2019-16574 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
212 CVE-2019-16571 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
213 CVE-2019-16569 352 CSRF 2019-12-17 2019-12-31
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.
214 CVE-2019-16567 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
215 CVE-2019-16566 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
216 CVE-2019-16557 522 2019-12-17 2020-01-03
4.0
None Remote Low ??? Partial None None
Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
217 CVE-2019-16556 522 2019-12-17 2020-01-03
4.0
None Remote Low ??? Partial None None
Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
218 CVE-2019-16555 400 2019-12-17 2020-01-03
4.0
None Remote Low ??? None None Partial
A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn't interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process.
219 CVE-2019-16554 276 2019-12-17 2020-01-03
4.0
None Remote Low ??? None None Partial
A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.
220 CVE-2019-16547 862 +Info 2019-11-21 2020-10-09
4.0
None Remote Low ??? Partial None None
Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment.
221 CVE-2019-16546 639 2019-11-21 2019-11-22
4.3
None Remote Medium Not required Partial None None
Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.
222 CVE-2019-16542 522 2019-11-21 2019-12-03
4.0
None Remote Low ??? Partial None None
Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
223 CVE-2019-10475 79 XSS 2019-10-23 2019-11-08
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
224 CVE-2019-10474 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.
225 CVE-2019-10473 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
226 CVE-2019-10472 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
227 CVE-2019-10470 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
228 CVE-2019-10469 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
229 CVE-2019-10467 522 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
230 CVE-2019-10465 276 2019-10-23 2019-10-24
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.
231 CVE-2019-10463 276 2019-10-23 2019-10-25
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
232 CVE-2019-10459 522 2019-10-23 2019-10-25
4.0
None Remote Low ??? Partial None None
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
233 CVE-2019-10457 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
234 CVE-2019-10456 352 CSRF 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
235 CVE-2019-10455 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
236 CVE-2019-10454 352 CSRF 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
237 CVE-2019-10452 312 2019-10-16 2019-10-18
4.0
None Remote Low ??? Partial None None
Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
238 CVE-2019-10451 312 2019-10-16 2019-10-22
4.0
None Remote Low ??? Partial None None
Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
239 CVE-2019-10449 312 2019-10-16 2019-10-18
4.0
None Remote Low ??? Partial None None
Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
240 CVE-2019-10448 522 2019-10-16 2019-10-18
4.0
None Remote Low ??? Partial None None
Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
241 CVE-2019-10447 312 2019-10-16 2019-10-20
4.0
None Remote Low ??? Partial None None
Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
242 CVE-2019-10445 862 +Info 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.
243 CVE-2019-10443 312 2019-10-16 2019-10-30
4.0
None Remote Low ??? Partial None None
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
244 CVE-2019-10442 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
245 CVE-2019-10441 352 CSRF 2019-10-16 2019-10-21
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
246 CVE-2019-10440 312 2019-10-16 2019-10-30
4.0
None Remote Low ??? Partial None None
Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
247 CVE-2019-10439 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
248 CVE-2019-10438 862 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
249 CVE-2019-10436 2019-10-16 2020-10-01
4.0
None Remote Low ??? Partial None None
An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master.
250 CVE-2019-10425 312 2019-09-25 2019-10-09
4.0
None Remote Low ??? Partial None None
Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Total number of vulnerabilities : 442   Page : 1 2 3 4 5 (This Page)6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.