| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1003050 |
79 |
|
XSS |
2019-04-10 |
2019-04-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. |
|
2 |
CVE-2019-1003049 |
287 |
|
|
2019-04-10 |
2019-04-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. |
|
3 |
CVE-2019-1003004 |
613 |
|
|
2019-01-22 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time. |
|
4 |
CVE-2019-1003003 |
613 |
|
|
2019-01-22 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts. |
|
5 |
CVE-2019-10406 |
79 |
|
XSS |
2019-09-25 |
2019-09-25 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. |
|
6 |
CVE-2019-10405 |
200 |
|
XSS +Info |
2019-09-25 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. |
|
7 |
CVE-2019-10404 |
79 |
|
XSS |
2019-09-25 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. |
|
8 |
CVE-2019-10403 |
79 |
|
XSS |
2019-09-25 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. |
|
9 |
CVE-2019-10402 |
79 |
|
XSS |
2019-09-25 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. |
|
10 |
CVE-2019-10401 |
79 |
|
XSS |
2019-09-25 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). |
|
11 |
CVE-2019-10384 |
352 |
|
Bypass CSRF |
2019-08-28 |
2019-09-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. |
|
12 |
CVE-2019-10383 |
79 |
|
XSS |
2019-08-28 |
2019-09-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages. |
|
13 |
CVE-2019-10354 |
200 |
|
Bypass +Info |
2019-07-17 |
2019-07-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. |
|
14 |
CVE-2019-10353 |
352 |
|
Bypass CSRF |
2019-07-17 |
2019-07-26 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection. |
|
15 |
CVE-2019-10352 |
22 |
|
Dir. Trav. |
2019-07-17 |
2019-08-15 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. |
|
16 |
CVE-2018-1999047 |
863 |
|
|
2018-08-23 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. |
|
17 |
CVE-2018-1999046 |
200 |
|
+Info |
2018-08-23 |
2019-05-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. |
|
18 |
CVE-2018-1999045 |
287 |
|
|
2018-08-23 |
2019-05-08 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. |
|
19 |
CVE-2018-1999044 |
835 |
|
DoS |
2018-08-23 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. |
|
20 |
CVE-2018-1999043 |
772 |
|
DoS |
2018-08-23 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials. |
|
21 |
CVE-2018-1999042 |
502 |
|
|
2018-08-23 |
2019-05-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. |
|
22 |
CVE-2018-1999007 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. |
|
23 |
CVE-2018-1999006 |
200 |
|
+Info |
2018-07-23 |
2019-05-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. |
|
24 |
CVE-2018-1999005 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
25 |
CVE-2018-1999004 |
863 |
|
|
2018-07-23 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. |
|
26 |
CVE-2018-1999003 |
863 |
|
|
2018-07-23 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. |
|
27 |
CVE-2018-1999002 |
20 |
|
|
2018-07-23 |
2018-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. |
|
28 |
CVE-2018-1999001 |
20 |
|
|
2018-07-23 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. |
|
29 |
CVE-2018-1000997 |
22 |
|
Dir. Trav. |
2019-01-23 |
2019-05-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation. |
|
30 |
CVE-2018-1000864 |
835 |
|
DoS |
2018-12-10 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. |
|
31 |
CVE-2018-1000863 |
22 |
|
Dir. Trav. |
2018-12-10 |
2019-10-02 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. |
|
32 |
CVE-2018-1000862 |
200 |
|
+Info |
2018-12-10 |
2019-05-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. |
|
33 |
CVE-2018-1000861 |
502 |
|
Exec Code |
2018-12-10 |
2019-05-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. |
|
34 |
CVE-2018-1000410 |
200 |
|
+Info |
2019-01-09 |
2019-05-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. |
|
35 |
CVE-2018-1000409 |
384 |
|
|
2019-01-09 |
2019-05-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account. |
|
36 |
CVE-2018-1000408 |
|
|
DoS |
2019-01-09 |
2019-10-02 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory. |
|
37 |
CVE-2018-1000407 |
79 |
|
XSS |
2019-01-09 |
2019-05-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. |
|
38 |
CVE-2018-1000406 |
22 |
|
Dir. Trav. |
2019-01-09 |
2019-05-08 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. |
|
39 |
CVE-2018-1000195 |
352 |
|
|
2018-06-05 |
2018-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. |
|
40 |
CVE-2018-1000194 |
22 |
|
Dir. Trav. Bypass |
2018-06-05 |
2018-07-27 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. |
|
41 |
CVE-2018-1000193 |
74 |
|
|
2018-06-05 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. |
|
42 |
CVE-2018-1000192 |
200 |
|
+Info |
2018-06-05 |
2018-07-27 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. |
|
43 |
CVE-2018-1000170 |
79 |
|
XSS |
2018-04-16 |
2019-05-08 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
44 |
CVE-2018-1000169 |
200 |
|
+Info |
2018-04-16 |
2019-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins. |
|
45 |
CVE-2018-1000068 |
20 |
|
|
2018-02-15 |
2018-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. |
|
46 |
CVE-2018-1000067 |
200 |
|
+Info |
2018-02-15 |
2018-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. |
|
47 |
CVE-2018-6356 |
22 |
|
Dir. Trav. |
2018-02-20 |
2018-03-19 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. |
|
48 |
CVE-2017-1000504 |
352 |
|
Exec Code CSRF |
2018-01-24 |
2019-05-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. |
|
49 |
CVE-2017-1000503 |
362 |
|
Exec Code |
2018-01-24 |
2018-02-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. |
|
50 |
CVE-2017-1000401 |
20 |
|
|
2018-01-25 |
2019-05-08 |
1.2 |
None |
Local |
High |
Not required |
Partial |
None |
None |
|
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged. |
