The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.
Max CVSS
9.8
EPSS Score
0.25%
Published
2017-07-17
Updated
2017-07-26
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
Max CVSS
4.7
EPSS Score
0.11%
Published
2017-12-06
Updated
2017-12-22
CVE-2016-9299
Public exploit
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Max CVSS
9.8
EPSS Score
63.29%
Published
2017-01-12
Updated
2019-05-22
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Max CVSS
5.3
EPSS Score
0.42%
Published
2017-09-12
Updated
2017-09-21
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
Max CVSS
5.3
EPSS Score
0.42%
Published
2017-09-12
Updated
2017-09-21
5 vulnerabilities found