Vulnerabilities > Jenkins

DATE CVE VULNERABILITY TITLE RISK
2019-05-21 CVE-2019-10319 Missing Authorization vulnerability in Jenkins Pluggable Authentication Module
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
network
low complexity
jenkins CWE-862
4.3
4.3
2019-04-30 CVE-2019-10318 Insufficiently Protected Credentials vulnerability in Jenkins Azure AD
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.
network
low complexity
jenkins CWE-522
8.8
8.8
2019-04-30 CVE-2019-10317 Improper Certificate Validation vulnerability in Jenkins Sitemonitor
Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.
network
high complexity
jenkins CWE-295
5.9
5.9
2019-04-30 CVE-2019-10316 Insufficiently Protected Credentials vulnerability in Jenkins Aqua Microscanner
Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
network
low complexity
jenkins CWE-522
8.8
8.8
2019-04-30 CVE-2019-10315 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Github Authentication
Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.
network
low complexity
jenkins CWE-352
8.8
8.8
2019-04-30 CVE-2019-10314 Improper Certificate Validation vulnerability in Jenkins Koji
Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.
network
high complexity
jenkins CWE-295
5.9
5.9
2019-04-30 CVE-2019-10313 Insufficiently Protected Credentials vulnerability in Jenkins Twitter
Jenkins Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
network
low complexity
jenkins CWE-522
8.8
8.8
2019-04-30 CVE-2019-10312 Missing Authorization vulnerability in Jenkins Ansible Tower
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
4.3
4.3
2019-04-30 CVE-2019-10311 Missing Authorization vulnerability in Jenkins Ansible Tower
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
8.8
8.8
2019-04-30 CVE-2019-10310 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Ansible Tower
A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins
network
low complexity
jenkins CWE-352
8.8
8.8