CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2019-10313 522 2019-04-30 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
302 CVE-2019-10312 862 2019-04-30 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
303 CVE-2019-10311 862 2019-04-30 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
304 CVE-2019-10309 611 2019-04-30 2019-05-06
4.8
None Local Network Low Not required Partial None Partial
Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.
305 CVE-2019-10308 862 2019-04-30 2020-10-02
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users.
306 CVE-2019-10307 352 CSRF 2019-04-30 2019-05-06
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.
307 CVE-2019-10305 862 2019-04-18 2020-10-02
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
308 CVE-2019-10304 352 CSRF 2019-04-18 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.
309 CVE-2019-10303 522 2019-04-18 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Azure PublisherSettings Credentials Plugin 1.2 and earlier stored credentials unencrypted in the credentials.xml file on the Jenkins master where they could be viewed by users with access to the master file system.
310 CVE-2019-10302 522 2019-04-18 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins jira-ext Plugin 0.8 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
311 CVE-2019-10301 862 2019-04-18 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
312 CVE-2019-10299 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
313 CVE-2019-10298 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Koji Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
314 CVE-2019-10297 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Sametime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
315 CVE-2019-10296 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
316 CVE-2019-10295 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
317 CVE-2019-10294 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
318 CVE-2019-10293 862 2019-04-04 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
319 CVE-2019-10292 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.
320 CVE-2019-10291 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
321 CVE-2019-10290 862 2019-04-04 2020-10-02
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
322 CVE-2019-10289 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.
323 CVE-2019-10288 522 2019-04-04 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins Jabber Server Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
324 CVE-2019-10287 522 2019-04-04 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins youtrack-plugin Plugin 0.7.1 and older stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
325 CVE-2019-10286 522 2019-04-04 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
326 CVE-2019-10285 522 2019-04-04 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins Minio Storage Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
327 CVE-2019-10284 522 2019-04-04 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
328 CVE-2019-10283 522 2019-04-04 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
329 CVE-2019-10282 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
330 CVE-2019-10281 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
331 CVE-2019-10280 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
332 CVE-2019-10279 862 2019-04-04 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
333 CVE-2019-10278 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
334 CVE-2019-10277 522 2019-04-04 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
335 CVE-2018-1999047 863 2018-08-23 2019-10-03
4.0
None Remote Low ??? None Partial None
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.
336 CVE-2018-1999046 200 +Info 2018-08-23 2019-05-08
4.0
None Remote Low ??? Partial None None
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.
337 CVE-2018-1999044 835 DoS 2018-08-23 2019-10-03
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
338 CVE-2018-1999040 200 +Info 2018-08-01 2019-10-03
4.0
None Remote Low ??? Partial None None
An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
339 CVE-2018-1999039 918 2018-08-01 2018-10-15
4.0
None Remote Low ??? None Partial None
A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.
340 CVE-2018-1999038 441 2018-08-01 2018-10-15
4.9
None Remote Medium ??? Partial Partial None
A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.
341 CVE-2018-1999037 20 2018-08-01 2018-10-10
4.0
None Remote Low ??? None Partial None
A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource.
342 CVE-2018-1999036 532 2018-08-01 2019-10-03
4.0
None Remote Low ??? Partial None None
An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log.
343 CVE-2018-1999031 200 +Info 2018-08-01 2018-10-01
4.0
None Remote Low ??? Partial None None
An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration.
344 CVE-2018-1999030 200 +Info 2018-08-01 2019-10-03
4.0
None Remote Low ??? Partial None None
An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
345 CVE-2018-1999028 200 +Info 2018-08-01 2019-10-03
4.0
None Remote Low ??? Partial None None
An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
346 CVE-2018-1999026 918 2018-08-01 2018-10-04
4.0
None Remote Low ??? None Partial None
A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host.
347 CVE-2018-1999006 200 +Info 2018-07-23 2019-05-08
4.0
None Remote Low ??? Partial None None
A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.
348 CVE-2018-1999004 863 2018-07-23 2019-10-03
4.0
None Remote Low ??? None None Partial
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.
349 CVE-2018-1999003 863 2018-07-23 2019-10-03
4.0
None Remote Low ??? None Partial None
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.
350 CVE-2018-1999001 20 2018-07-23 2019-10-03
4.3
None Remote Medium Not required Partial None None
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
Total number of vulnerabilities : 442   Page : 1 2 3 4 5 6 7 (This Page)8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.