CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins » Jenkins » 1.625.1 ~~lts~~~ : Security Vulnerabilities

Cpe Name:cpe:/a:jenkins:jenkins:1.625.1::~~lts~~~
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-6356 22 Dir. Trav. 2018-02-20 2018-03-19
4.0
None Remote Low Single system Partial None None
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
2 CVE-2017-2613 352 CSRF 2018-05-15 2019-10-09
5.8
None Remote Medium Not required None Partial Partial
jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).
3 CVE-2017-2612 732 2018-05-15 2019-10-09
5.5
None Remote Low Single system None Partial Partial
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
4 CVE-2017-2611 269 2018-05-08 2019-10-09
4.0
None Remote Low Single system None None Partial
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
5 CVE-2017-2610 79 XSS 2018-05-15 2019-10-09
3.5
None Remote Medium Single system None Partial None
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
6 CVE-2017-2609 200 +Info 2018-05-22 2019-10-09
4.0
None Remote Low Single system Partial None None
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
7 CVE-2017-2608 502 Exec Code 2018-05-15 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
8 CVE-2017-2607 79 XSS 2018-05-21 2019-10-09
3.5
None Remote Medium Single system None Partial None
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
9 CVE-2017-2606 200 +Info 2018-05-08 2019-10-09
4.0
None Remote Low Single system Partial None None
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
10 CVE-2017-2604 287 2018-05-15 2019-10-09
4.0
None Remote Low Single system None Partial None
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
11 CVE-2017-2603 200 +Info 2018-05-15 2019-10-09
3.5
None Remote Medium Single system Partial None None
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
12 CVE-2017-2602 2018-05-15 2019-10-09
4.0
None Remote Low Single system None Partial None
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).
13 CVE-2017-2601 79 XSS 2018-05-10 2019-10-09
3.5
None Remote Medium Single system None Partial None
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
14 CVE-2017-2600 200 +Info 2018-05-15 2019-10-09
4.0
None Remote Low Single system Partial None None
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).
15 CVE-2017-2599 269 2018-04-11 2019-10-09
5.5
None Remote Low Single system Partial Partial None
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).
16 CVE-2017-2598 326 2018-05-23 2019-10-09
4.0
None Remote Low Single system Partial None None
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
17 CVE-2015-8103 77 Exec Code 2015-11-25 2016-12-07
7.5
None Remote Low Not required Partial Partial Partial
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
18 CVE-2015-7539 345 Exec Code 2016-02-03 2016-06-13
7.6
None Remote High Not required Complete Complete Complete
The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.
19 CVE-2015-7538 Bypass CSRF 2016-02-03 2016-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.
20 CVE-2015-7537 352 CSRF 2016-02-03 2016-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.
21 CVE-2015-7536 79 XSS 2016-02-03 2016-06-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.
22 CVE-2015-5326 79 XSS 2015-11-25 2016-06-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.
23 CVE-2015-5325 284 Bypass 2015-11-25 2016-06-13
7.5
None Remote Low Not required Partial Partial Partial
Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.
24 CVE-2015-5324 264 +Info 2015-11-25 2016-06-13
5.0
None Remote Low Not required Partial None None
Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.
25 CVE-2015-5323 264 +Priv 2015-11-25 2016-06-13
6.5
None Remote Low Single system Partial Partial Partial
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.
26 CVE-2015-5322 22 Dir. Trav. 2015-11-25 2016-06-13
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.
27 CVE-2015-5321 200 +Info 2015-11-25 2016-06-13
5.0
None Remote Low Not required Partial None None
The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.
28 CVE-2015-5320 200 +Info 2015-11-25 2016-06-13
5.0
None Remote Low Not required Partial None None
Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.
29 CVE-2015-5319 2015-11-25 2016-06-15
5.0
None Remote Low Not required Partial None None
XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.
30 CVE-2015-5318 352 Bypass CSRF 2015-11-25 2016-06-15
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.
31 CVE-2015-5317 200 +Info 2015-11-25 2016-06-15
5.0
None Remote Low Not required Partial None None
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
Total number of vulnerabilities : 31   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.