Vulnerabilities > Jenkins > Jenkins > 1.36
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-07-23 | CVE-2018-1999002 | A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. | 5.0 |
2018-07-23 | CVE-2018-1999001 | A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. | 4.3 |
2018-06-05 | CVE-2018-1000195 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. | 4.3 |
2018-06-05 | CVE-2018-1000194 | Path Traversal vulnerability in multiple products A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. | 5.5 |
2018-06-05 | CVE-2018-1000193 | Injection vulnerability in multiple products A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. | 4.0 |
2018-06-05 | CVE-2018-1000192 | A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. | 4.0 |
2018-05-23 | CVE-2017-2598 | Inadequate Encryption Strength vulnerability in Jenkins Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | 4.0 |
2018-05-22 | CVE-2017-2609 | Information Exposure vulnerability in Jenkins jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). | 4.0 |
2018-05-21 | CVE-2017-2607 | Cross-site Scripting vulnerability in Jenkins jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). | 3.5 |
2018-05-15 | CVE-2017-2613 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. | 5.8 |