Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-31 | CVE-2019-10327 | XXE vulnerability in Jenkins Pipeline Maven Integration An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. | 8.1 |
| 2019-05-31 | CVE-2019-10326 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Warnings Next Generation 5.0.0 A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds. | 4.3 |
| 2019-05-31 | CVE-2019-10325 | Cross-site Scripting vulnerability in Jenkins Warnings Next Generation A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages. | 5.4 |
| 2019-05-21 | CVE-2019-10320 | File and Directory Information Exposure vulnerability in Jenkins Credentials Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate. | 4.3 |
| 2019-05-21 | CVE-2019-10319 | Missing Authorization vulnerability in Jenkins Pluggable Authentication Module A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as. | 4.3 |
| 2019-04-30 | CVE-2019-10318 | Insufficiently Protected Credentials vulnerability in Jenkins Azure AD Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system. | 8.8 |
| 2019-04-30 | CVE-2019-10317 | Improper Certificate Validation vulnerability in Jenkins Sitemonitor Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. | 5.9 |
| 2019-04-30 | CVE-2019-10316 | Insufficiently Protected Credentials vulnerability in Jenkins Aqua Microscanner Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | 8.8 |
| 2019-04-30 | CVE-2019-10315 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Github Authentication Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF. | 8.8 |
| 2019-04-30 | CVE-2019-10314 | Improper Certificate Validation vulnerability in Jenkins Koji Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | 5.9 |