jenkins

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Extendable continuous integration server (latest)
Version 2.142-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-738 2.132-1 2.133-1 High Fixed
AVG-543 2.93-1 2.94-1 Medium Fixed
AVG-255 2.56-1 2.57-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2018-1999007 AVG-738 Medium Yes Cross-site scripting
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information....
CVE-2018-1999006 AVG-738 Medium Yes Information disclosure
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users...
CVE-2018-1999005 AVG-738 Medium Yes Cross-site scripting
The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a...
CVE-2018-1999004 AVG-738 Medium Yes Access restriction bypass
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999003 AVG-738 Medium Yes Access restriction bypass
The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999002 AVG-738 High Yes Arbitrary filesystem access
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests...
CVE-2018-1999001 AVG-738 High Yes Access restriction bypass
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home...
CVE-2017-17383 AVG-543 Medium Yes Cross-site scripting
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated...
CVE-2017-1000356 AVG-255 High Yes Cross-site request forgery
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into...
CVE-2017-1000355 AVG-255 Medium Yes Arbitrary code execution
Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to...
CVE-2017-1000354 AVG-255 High Yes Privilege escalation
The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to...

Advisories

Date Advisory Group Severity Description
21 Jul 2018 ASA-201807-14 AVG-738 High multiple issues
27 Apr 2017 ASA-201704-8 AVG-255 High multiple issues