Filtered by vendor Jenkins
Subscriptions
Total
1606 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-10318 | 1 Jenkins | 1 Azure Ad | 2024-08-04 | 8.8 High |
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system. | ||||
CVE-2019-10353 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-04 | N/A |
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection. | ||||
CVE-2019-10351 | 1 Jenkins | 1 Caliper Ci | 2024-08-04 | 8.8 High |
Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||||
CVE-2019-10325 | 1 Jenkins | 1 Warnings Next Generation | 2024-08-04 | N/A |
A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages. | ||||
CVE-2019-10316 | 1 Jenkins | 1 Aqua Microscanner | 2024-08-04 | 8.8 High |
Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | ||||
CVE-2019-10355 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-08-04 | 8.8 High |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. | ||||
CVE-2019-10332 | 1 Jenkins | 1 Electricflow | 2024-08-04 | 4.3 Medium |
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials. | ||||
CVE-2019-10390 | 1 Jenkins | 1 Splunk | 2024-08-04 | 8.8 High |
A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | ||||
CVE-2019-10373 | 1 Jenkins | 1 Build Pipeline | 2024-08-04 | 5.4 Medium |
A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | ||||
CVE-2019-10367 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 5.5 Medium |
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | ||||
CVE-2019-10347 | 1 Jenkins | 1 Mashup Portlets | 2024-08-04 | 8.8 High |
Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system. | ||||
CVE-2019-10319 | 1 Jenkins | 1 Pluggable Authentication Module | 2024-08-04 | 4.3 Medium |
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as. | ||||
CVE-2019-10387 | 1 Jenkins | 1 Xl Testview | 2024-08-04 | 6.5 Medium |
A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
CVE-2019-10341 | 1 Jenkins | 1 Docker | 2024-08-04 | 6.5 Medium |
A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
CVE-2019-10377 | 1 Jenkins | 1 Avatar | 2024-08-04 | 4.3 Medium |
A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins. | ||||
CVE-2019-10320 | 2 Jenkins, Redhat | 2 Credentials, Openshift | 2024-08-04 | N/A |
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate. | ||||
CVE-2019-10339 | 1 Jenkins | 1 Jx Resources | 2024-08-04 | 8.8 High |
A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. | ||||
CVE-2019-10344 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 4.3 Medium |
Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins. | ||||
CVE-2019-10346 | 1 Jenkins | 1 Embeddable Build Status | 2024-08-04 | 6.1 Medium |
A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin. | ||||
CVE-2019-10331 | 1 Jenkins | 1 Electricflow | 2024-08-04 | N/A |
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. |