| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1003048 |
255 |
|
|
2019-03-28 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration. |
|
2 |
CVE-2019-1003044 |
352 |
|
CSRF |
2019-03-28 |
2019-10-09 |
2.1 |
None |
Remote |
High |
Single system |
Partial |
None |
None |
|
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
3 |
CVE-2019-1003017 |
352 |
|
|
2019-02-06 |
2019-10-09 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration. |
|
4 |
CVE-2019-10433 |
312 |
|
|
2019-10-01 |
2019-10-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. |
|
5 |
CVE-2019-10430 |
312 |
|
|
2019-09-25 |
2019-09-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
6 |
CVE-2019-10429 |
312 |
|
|
2019-09-25 |
2019-09-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
7 |
CVE-2019-10426 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
8 |
CVE-2019-10424 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
9 |
CVE-2019-10423 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
10 |
CVE-2019-10420 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
11 |
CVE-2019-10419 |
312 |
|
|
2019-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
12 |
CVE-2019-10398 |
522 |
|
|
2019-09-12 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. |
|
13 |
CVE-2019-10397 |
522 |
|
|
2019-09-12 |
2019-10-09 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. |
|
14 |
CVE-2019-10378 |
255 |
|
|
2019-08-07 |
2019-09-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
|
15 |
CVE-2019-10367 |
532 |
|
|
2019-08-07 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. |
|
16 |
CVE-2019-10364 |
200 |
|
+Info |
2019-07-31 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. |
|
17 |
CVE-2019-10361 |
255 |
|
|
2019-07-31 |
2019-09-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system. |
|
18 |
CVE-2019-10345 |
255 |
|
|
2019-07-31 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. |
|
19 |
CVE-2019-10343 |
532 |
|
|
2019-07-31 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. |
|
20 |
CVE-2018-1999041 |
200 |
|
+Info |
2018-08-01 |
2018-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration. |
|
21 |
CVE-2018-1000410 |
200 |
|
+Info |
2019-01-09 |
2019-05-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. |
|
22 |
CVE-2018-1000404 |
522 |
|
|
2018-07-09 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.27 and later. |
|
23 |
CVE-2018-1000403 |
522 |
|
|
2018-07-09 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 1.20 and later. |
|
24 |
CVE-2018-1000401 |
522 |
|
|
2018-07-09 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later. |
|
25 |
CVE-2018-1000150 |
200 |
|
+Info |
2018-04-05 |
2018-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in users. |
|
26 |
CVE-2018-1000143 |
200 |
|
+Info |
2018-04-05 |
2018-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. |
|
27 |
CVE-2018-1000142 |
200 |
|
+Info |
2018-04-05 |
2018-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. |
|
28 |
CVE-2018-1000104 |
522 |
|
|
2018-03-13 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords. |
|
29 |
CVE-2017-1000387 |
522 |
|
XSS |
2018-01-25 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations. |
|
30 |
CVE-2017-1000242 |
200 |
|
+Info |
2017-11-01 |
2017-11-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure |
|
31 |
CVE-2017-1000113 |
200 |
|
+Info |
2017-10-04 |
2019-06-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords. |
|
32 |
CVE-2017-1000092 |
352 |
|
|
2017-10-04 |
2017-10-17 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. |
|
33 |
CVE-2013-0158 |
|
|
|
2013-02-24 |
2018-10-30 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors. |
|
34 |
CVE-2011-4344 |
79 |
|
XSS |
2011-12-01 |
2016-06-13 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages. |
