| CVE-2018-1999007 |
Medium |
Yes |
Cross-site scripting |
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information.... |
| CVE-2018-1999006 |
Medium |
Yes |
Information disclosure |
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users... |
| CVE-2018-1999005 |
Medium |
Yes |
Cross-site scripting |
The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a... |
| CVE-2018-1999004 |
Medium |
Yes |
Access restriction bypass |
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to... |
| CVE-2018-1999003 |
Medium |
Yes |
Access restriction bypass |
The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to... |
| CVE-2018-1999002 |
High |
Yes |
Arbitrary filesystem access |
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests... |
| CVE-2018-1999001 |
High |
Yes |
Access restriction bypass |
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home... |