# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
17501 |
CVE-2017-1000126 |
125 |
|
|
2017-11-17 |
2017-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
exiv2 0.26 contains a Stack out of bounds read in webp parser |
17502 |
CVE-2017-1000125 |
732 |
|
|
2017-11-17 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Codiad(full version) is vulnerable to write anything to configure file in the installation resulting upload a webshell. |
17503 |
CVE-2017-1000122 |
20 |
|
DoS |
2017-11-01 |
2017-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate certain message metadata, allowing a compromised secondary process to cause a denial of service (release assertion) of the UI process. This vulnerability does not affect Apple products. |
17504 |
CVE-2017-1000120 |
89 |
|
Exec Code Sql |
2017-10-04 |
2017-10-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. |
17505 |
CVE-2017-1000119 |
434 |
|
Exec Code |
2017-10-04 |
2019-09-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. |
17506 |
CVE-2017-1000118 |
119 |
|
DoS Overflow |
2017-10-04 |
2017-10-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service |
17507 |
CVE-2017-1000117 |
601 |
|
|
2017-10-04 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. |
17508 |
CVE-2017-1000115 |
59 |
|
|
2017-10-04 |
2019-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository |
17509 |
CVE-2017-1000114 |
200 |
|
XSS +Info |
2017-10-04 |
2017-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form. |
17510 |
CVE-2017-1000113 |
200 |
|
+Info |
2017-10-04 |
2019-06-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords. |
17511 |
CVE-2017-1000112 |
362 |
|
Mem. Corr. |
2017-10-04 |
2018-08-05 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005. |
17512 |
CVE-2017-1000110 |
287 |
|
|
2017-10-04 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean. |
17513 |
CVE-2017-1000109 |
79 |
|
XSS |
2017-10-04 |
2017-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. |
17514 |
CVE-2017-1000108 |
200 |
|
+Info |
2017-10-04 |
2017-11-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead. |
17515 |
CVE-2017-1000107 |
|
|
Bypass |
2017-10-04 |
2019-10-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. |
17516 |
CVE-2017-1000106 |
287 |
|
|
2017-10-04 |
2019-10-02 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name. |
17517 |
CVE-2017-1000105 |
732 |
|
|
2017-10-04 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient. |
17518 |
CVE-2017-1000104 |
269 |
|
|
2017-10-04 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files. |
17519 |
CVE-2017-1000103 |
79 |
|
XSS |
2017-10-04 |
2017-11-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. |
17520 |
CVE-2017-1000102 |
79 |
|
XSS |
2017-10-04 |
2017-11-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view. |
17521 |
CVE-2017-1000101 |
119 |
|
Overflow |
2017-10-04 |
2018-11-13 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`. |
17522 |
CVE-2017-1000100 |
200 |
|
+Info |
2017-10-04 |
2018-11-13 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. |
17523 |
CVE-2017-1000099 |
200 |
|
+Info |
2017-10-04 |
2017-11-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory. |
17524 |
CVE-2017-1000098 |
769 |
|
|
2017-10-04 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. |
17525 |
CVE-2017-1000097 |
295 |
|
|
2017-10-04 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. |
17526 |
CVE-2017-1000096 |
732 |
|
Exec Code |
2017-10-04 |
2019-10-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. |
17527 |
CVE-2017-1000095 |
732 |
|
|
2017-10-04 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object). |
17528 |
CVE-2017-1000094 |
200 |
|
+Info |
2017-10-04 |
2017-10-17 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. |
17529 |
CVE-2017-1000093 |
352 |
|
CSRF |
2017-10-04 |
2017-10-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. |
17530 |
CVE-2017-1000092 |
352 |
|
|
2017-10-04 |
2017-10-17 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. |
17531 |
CVE-2017-1000091 |
352 |
|
CSRF |
2017-10-04 |
2017-10-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery. |
17532 |
CVE-2017-1000090 |
352 |
|
CSRF |
2017-10-04 |
2017-11-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. |
17533 |
CVE-2017-1000089 |
276 |
|
|
2017-10-04 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. |
17534 |
CVE-2017-1000088 |
79 |
|
XSS |
2017-10-04 |
2017-11-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links. |
17535 |
CVE-2017-1000087 |
200 |
|
+Info |
2017-10-04 |
2017-11-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. |
17536 |
CVE-2017-1000086 |
732 |
|
CSRF |
2017-10-04 |
2019-10-02 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. |
17537 |
CVE-2017-1000085 |
352 |
|
CSRF |
2017-10-04 |
2017-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks. |
17538 |
CVE-2017-1000084 |
276 |
|
|
2017-10-04 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. |
17539 |
CVE-2017-1000083 |
|
|
Exec Code |
2017-09-05 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename. |
17540 |
CVE-2017-1000071 |
287 |
|
Bypass |
2017-07-17 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server. |
17541 |
CVE-2017-1000070 |
601 |
|
|
2017-07-17 |
2017-07-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819 |
17542 |
CVE-2017-1000069 |
352 |
|
CSRF |
2017-07-17 |
2017-07-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
CSRF in Bitly oauth2_proxy 2.1 during authentication flow |
17543 |
CVE-2017-1000068 |
287 |
|
DoS |
2017-07-17 |
2017-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
TestTrack Server versions 1.0 and earlier are vulnerable to an authentication flaw in the split disablement feature resulting in the ability to disable arbitrary running splits and cause denial of service to clients in the field. |
17544 |
CVE-2017-1000067 |
89 |
|
Sql |
2017-07-17 |
2017-07-21 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges. |
17545 |
CVE-2017-1000066 |
|
|
|
2017-07-17 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The entry details view function in KeePass version 1.32 inadvertently decrypts certain database entries into memory, which may result in the disclosure of sensitive information. |
17546 |
CVE-2017-1000065 |
79 |
|
XSS |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and execute malicious scripts within an authenticated client's browser. |
17547 |
CVE-2017-1000064 |
400 |
|
|
2017-07-17 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
kittoframework kitto version 0.5.1 is vulnerable to memory exhaustion in the router resulting in DoS |
17548 |
CVE-2017-1000063 |
79 |
|
XSS |
2017-07-17 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure |
17549 |
CVE-2017-1000062 |
22 |
|
Exec Code Dir. Trav. |
2017-07-17 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
kittoframework kitto 0.5.1 is vulnerable to directory traversal in the router resulting in remote code execution |
17550 |
CVE-2017-1000061 |
611 |
|
DoS |
2017-07-17 |
2018-01-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service |