CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1003048 255 2019-03-28 2019-10-09
2.1
None Local Low Not required Partial None None
A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration.
2 CVE-2019-1003044 352 CSRF 2019-03-28 2019-10-09
2.1
None Remote High Single system Partial None None
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
3 CVE-2019-1003017 352 2019-02-06 2019-10-09
2.6
None Remote High Not required None Partial None
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration.
4 CVE-2019-10433 312 2019-10-01 2019-10-04
2.1
None Local Low Not required Partial None None
Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
5 CVE-2019-10430 312 2019-09-25 2019-09-25
2.1
None Local Low Not required Partial None None
Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
6 CVE-2019-10429 312 2019-09-25 2019-09-25
2.1
None Local Low Not required Partial None None
Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
7 CVE-2019-10426 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
8 CVE-2019-10424 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
9 CVE-2019-10423 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
10 CVE-2019-10420 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
11 CVE-2019-10419 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
12 CVE-2019-10398 522 2019-09-12 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
13 CVE-2019-10397 522 2019-09-12 2019-10-09
2.6
None Remote High Not required Partial None None
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
14 CVE-2019-10378 255 2019-08-07 2019-09-17
2.1
None Local Low Not required Partial None None
Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
15 CVE-2019-10367 532 2019-08-07 2019-10-09
2.1
None Local Low Not required Partial None None
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.
16 CVE-2019-10364 200 +Info 2019-07-31 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.
17 CVE-2019-10361 255 2019-07-31 2019-09-17
2.1
None Local Low Not required Partial None None
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.
18 CVE-2019-10345 255 2019-07-31 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.
19 CVE-2019-10343 532 2019-07-31 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.
20 CVE-2018-1999041 200 +Info 2018-08-01 2018-10-03
2.1
None Local Low Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.
21 CVE-2018-1000410 200 +Info 2019-01-09 2019-05-08
2.1
None Local Low Not required Partial None None
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.
22 CVE-2018-1000404 522 2018-07-09 2019-10-02
2.1
None Local Low Not required Partial None None
Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.27 and later.
23 CVE-2018-1000403 522 2018-07-09 2019-10-02
2.1
None Local Low Not required Partial None None
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 1.20 and later.
24 CVE-2018-1000401 522 2018-07-09 2019-10-02
2.1
None Local Low Not required Partial None None
Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.
25 CVE-2018-1000150 200 +Info 2018-04-05 2018-05-15
2.1
None Local Low Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in users.
26 CVE-2018-1000143 200 +Info 2018-04-05 2018-05-15
2.1
None Local Low Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
27 CVE-2018-1000142 200 +Info 2018-04-05 2018-05-15
2.1
None Local Low Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
28 CVE-2018-1000104 522 2018-03-13 2019-10-02
2.1
None Local Low Not required Partial None None
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords.
29 CVE-2017-1000387 522 XSS 2018-01-25 2019-10-02
2.1
None Local Low Not required Partial None None
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
30 CVE-2017-1000242 200 +Info 2017-11-01 2017-11-24
2.1
None Local Low Not required Partial None None
Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure
31 CVE-2017-1000113 200 +Info 2017-10-04 2019-06-11
2.1
None Local Low Not required Partial None None
The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords.
32 CVE-2017-1000092 352 2017-10-04 2017-10-17
2.6
None Remote High Not required Partial None None
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.
33 CVE-2013-0158 2013-02-24 2018-10-30
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.
34 CVE-2011-4344 79 XSS 2011-12-01 2016-06-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.
Total number of vulnerabilities : 34   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.