| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1000189 |
77 |
|
Exec Code |
2018-06-05 |
2018-07-18 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master. |
|
2 |
CVE-2018-1000153 |
352 |
|
DoS CSRF |
2018-04-05 |
2018-05-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). |
|
3 |
CVE-2018-1000152 |
285 |
|
DoS |
2018-04-05 |
2018-05-22 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). |
|
4 |
CVE-2018-1000151 |
295 |
|
|
2018-04-05 |
2018-05-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. |
|
5 |
CVE-2018-1000149 |
320 |
|
|
2018-04-05 |
2018-05-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. |
|
6 |
CVE-2018-1000146 |
264 |
|
Exec Code |
2018-04-05 |
2018-05-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM. |
|
7 |
CVE-2018-1000058 |
502 |
|
Exec Code |
2018-02-09 |
2018-03-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. |
|
8 |
CVE-2018-1000056 |
611 |
|
|
2018-02-09 |
2018-03-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
9 |
CVE-2018-1000055 |
611 |
|
|
2018-02-09 |
2018-03-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
10 |
CVE-2018-1000054 |
611 |
|
|
2018-02-09 |
2018-03-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
11 |
CVE-2018-1000014 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. |
|
12 |
CVE-2018-1000013 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. |
|
13 |
CVE-2018-1000012 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
14 |
CVE-2018-1000011 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
15 |
CVE-2018-1000010 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
16 |
CVE-2018-1000009 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
17 |
CVE-2018-1000008 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
18 |
CVE-2018-8718 |
352 |
|
CSRF |
2018-03-27 |
2018-06-07 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. |
|
19 |
CVE-2017-1000504 |
352 |
|
Exec Code CSRF |
2018-01-24 |
2018-02-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. |
|
20 |
CVE-2017-1000503 |
362 |
|
Exec Code |
2018-01-24 |
2018-02-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. |
|
21 |
CVE-2017-1000403 |
264 |
|
|
2018-01-25 |
2018-02-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts. |
|
22 |
CVE-2017-1000356 |
352 |
|
|
2018-01-29 |
2018-02-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. |
|
23 |
CVE-2017-1000354 |
287 |
|
|
2018-01-29 |
2018-02-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. |
|
24 |
CVE-2017-1000244 |
352 |
|
CSRF |
2017-11-01 |
2017-11-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification |
|
25 |
CVE-2017-1000107 |
284 |
|
Bypass |
2017-10-04 |
2017-11-01 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. |
|
26 |
CVE-2017-1000096 |
284 |
|
Exec Code |
2017-10-04 |
2017-10-17 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. |
|
27 |
CVE-2017-1000093 |
352 |
|
CSRF |
2017-10-04 |
2017-10-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. |
|
28 |
CVE-2017-1000091 |
352 |
|
CSRF |
2017-10-04 |
2017-10-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery. |
|
29 |
CVE-2017-1000090 |
352 |
|
CSRF |
2017-10-04 |
2017-11-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. |
|
30 |
CVE-2017-1000086 |
352 |
|
CSRF |
2017-10-04 |
2017-11-02 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. |
|
31 |
CVE-2017-2650 |
254 |
|
Bypass |
2018-07-27 |
2018-09-24 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins. |
|
32 |
CVE-2017-2649 |
295 |
|
|
2018-07-27 |
2018-09-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. |
|
33 |
CVE-2017-2608 |
502 |
|
Exec Code |
2018-05-15 |
2018-06-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). |
|
34 |
CVE-2015-7538 |
|
|
Bypass CSRF |
2016-02-03 |
2016-06-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors. |
|
35 |
CVE-2015-7537 |
352 |
|
CSRF |
2016-02-03 |
2016-06-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method. |
|
36 |
CVE-2015-5323 |
264 |
|
+Priv |
2015-11-25 |
2016-06-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user. |
|
37 |
CVE-2015-5318 |
352 |
|
Bypass CSRF |
2015-11-25 |
2016-06-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack. |
|
38 |
CVE-2015-1806 |
264 |
|
Exec Code +Priv |
2015-10-16 |
2016-06-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors. |
|
39 |
CVE-2014-3665 |
264 |
|
Exec Code |
2015-11-25 |
2016-06-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave. |
|
40 |
CVE-2014-3663 |
264 |
|
Bypass |
2014-10-16 |
2016-06-15 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors. |
|
41 |
CVE-2014-2066 |
287 |
|
|
2014-10-17 |
2016-06-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies. |
|
42 |
CVE-2014-2062 |
287 |
|
|
2014-10-17 |
2016-06-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token. |
|
43 |
CVE-2014-2059 |
22 |
|
Dir. Trav. |
2014-02-28 |
2017-08-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name. |
|
44 |
CVE-2014-2058 |
264 |
|
Bypass |
2014-10-17 |
2016-06-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330. |
|
45 |
CVE-2013-0327 |
352 |
|
CSRF |
2013-03-19 |
2016-06-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors. |
