| CVE-2019-1003050 |
AVG-948 |
Medium |
Yes |
Cross-site scripting |
The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting (XSS) vulnerability... |
| CVE-2019-1003049 |
AVG-948 |
Medium |
Yes |
Access restriction bypass |
A security issue has been found in Jenkins before 2.172, where the fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based... |
| CVE-2019-10354 |
AVG-1012 |
High |
Yes |
Access restriction bypass |
A security issue has been found in Jenkins before 2.186. Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised... |
| CVE-2019-10353 |
AVG-1012 |
High |
Yes |
Cross-site request forgery |
By default, CSRF tokens in Jenkins before 2.186 only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for... |
| CVE-2019-10352 |
AVG-1012 |
High |
Yes |
Arbitrary file overwrite |
A vulnerability has been found in Jenkins before 2.186, where users with Job/Configure permission could specify a relative path escaping the base directory... |
| CVE-2018-1999043 |
AVG-778 |
Medium |
Yes |
Access restriction bypass |
A security issue has been found in Jenkins version prior to 2.146. When attempting to authenticate using API token, an ephemeral user record was created to... |
| CVE-2018-1999007 |
AVG-738 |
Medium |
Yes |
Cross-site scripting |
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information.... |
| CVE-2018-1999006 |
AVG-738 |
Medium |
Yes |
Information disclosure |
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users... |
| CVE-2018-1999005 |
AVG-738 |
Medium |
Yes |
Cross-site scripting |
The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a... |
| CVE-2018-1999004 |
AVG-738 |
Medium |
Yes |
Access restriction bypass |
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to... |
| CVE-2018-1999003 |
AVG-738 |
Medium |
Yes |
Access restriction bypass |
The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to... |
| CVE-2018-1999002 |
AVG-738 |
High |
Yes |
Arbitrary filesystem access |
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests... |
| CVE-2018-1999001 |
AVG-738 |
High |
Yes |
Access restriction bypass |
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home... |
| CVE-2017-1000356 |
AVG-255 |
High |
Yes |
Cross-site request forgery |
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into... |
| CVE-2017-1000355 |
AVG-255 |
Medium |
Yes |
Arbitrary code execution |
Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to... |
| CVE-2017-1000354 |
AVG-255 |
High |
Yes |
Privilege escalation |
The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to... |
| CVE-2017-17383 |
AVG-543 |
Medium |
Yes |
Cross-site scripting |
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated... |