Filtered by vendor Jenkins
Subscriptions
Total
1606 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-10389 | 1 Jenkins | 1 Relution Enterprise Appstore Publisher | 2024-08-04 | 4.3 Medium |
| A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | ||||
| CVE-2019-10356 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-08-04 | 8.8 High |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. | ||||
| CVE-2019-10362 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 5.4 Medium |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | ||||
| CVE-2019-10370 | 1 Jenkins | 1 Mask Passwords | 2024-08-04 | 6.5 Medium |
| Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure. | ||||
| CVE-2019-10378 | 1 Jenkins | 1 Testlink | 2024-08-04 | 5.3 Medium |
| Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | ||||
| CVE-2019-10396 | 1 Jenkins | 1 Dashboard View | 2024-08-04 | 5.4 Medium |
| Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions. | ||||
| CVE-2019-10368 | 1 Jenkins | 1 Jclouds | 2024-08-04 | N/A |
| A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2019-10357 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2024-08-04 | 4.3 Medium |
| A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries. | ||||
| CVE-2019-10381 | 1 Jenkins | 1 Codefresh Integration | 2024-08-04 | 7.5 High |
| Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | ||||
| CVE-2019-10328 | 2 Jenkins, Redhat | 2 Pipeline Remote Loader, Openshift | 2024-08-04 | N/A |
| Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. | ||||
| CVE-2019-10317 | 1 Jenkins | 1 Sitemonitor | 2024-08-04 | N/A |
| Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. | ||||
| CVE-2019-10360 | 1 Jenkins | 1 M2 Release | 2024-08-04 | 5.4 Medium |
| A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | ||||
| CVE-2019-10343 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 3.3 Low |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. | ||||
| CVE-2019-10334 | 1 Jenkins | 1 Electricflow | 2024-08-04 | N/A |
| Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files. | ||||
| CVE-2019-10338 | 1 Jenkins | 1 Jx Resources | 2024-08-04 | N/A |
| A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. | ||||
| CVE-2019-10369 | 1 Jenkins | 1 Jclouds | 2024-08-04 | 6.5 Medium |
| A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2019-10364 | 1 Jenkins | 1 Ec2 | 2024-08-04 | 5.5 Medium |
| Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | ||||
| CVE-2019-10345 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 5.5 Medium |
| Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. | ||||
| CVE-2019-10348 | 1 Jenkins | 1 Gogs | 2024-08-04 | 8.8 High |
| Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||||
| CVE-2019-10335 | 1 Jenkins | 1 Electricflow | 2024-08-04 | N/A |
| A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages. | ||||