Vulnerabilities > Jenkins > Jenkins > 1.562

DATE CVE VULNERABILITY TITLE RISK
2018-01-26 CVE-2017-1000393 OS Command Injection vulnerability in Jenkins
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'.
network
low complexity
jenkins CWE-78
critical
9.0
2018-01-26 CVE-2017-1000392 Cross-site Scripting vulnerability in Jenkins
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
network
jenkins CWE-79
3.5
2018-01-26 CVE-2017-1000391 Improper Input Validation vulnerability in Jenkins
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk.
network
jenkins CWE-20
4.9
2018-01-24 CVE-2017-1000504 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization.
network
jenkins CWE-352
6.8
2017-12-06 CVE-2017-17383 Cross-site Scripting vulnerability in Jenkins
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
network
jenkins CWE-79
3.5
2017-09-12 CVE-2014-9635 7PK - Security Features vulnerability in Jenkins
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
network
low complexity
jenkins apache CWE-254
5.0
2017-09-12 CVE-2014-9634 7PK - Security Features vulnerability in Jenkins
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
network
low complexity
jenkins apache CWE-254
5.0
2017-01-12 CVE-2016-9299 LDAP Injection vulnerability in multiple products
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
network
low complexity
jenkins fedoraproject CWE-90
critical
9.8
2016-05-17 CVE-2016-3727 Information Exposure vulnerability in Jenkins
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
network
low complexity
jenkins redhat CWE-200
4.0
2016-05-17 CVE-2016-3726 Open Redirection vulnerability in Jenkins
Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.
network
jenkins redhat
5.8