Vulnerabilities > Jenkins

DATE CVE VULNERABILITY TITLE RISK
2019-01-22 CVE-2019-1003002 A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
network
low complexity
jenkins redhat
8.8
8.8
2019-01-22 CVE-2019-1003001 A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
network
low complexity
jenkins redhat
8.8
8.8
2019-01-22 CVE-2019-1003000 A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.
network
low complexity
jenkins redhat
8.8
8.8
2019-01-09 CVE-2018-1000426 Cross-site Scripting vulnerability in Jenkins GIT Changelog
A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.
network
low complexity
jenkins CWE-79
6.1
6.1
2019-01-09 CVE-2018-1000417 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Email Extension Template
A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates.
network
low complexity
jenkins CWE-352
8.1
8.1
2019-01-09 CVE-2018-1000414 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Config File Provider
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.
network
low complexity
jenkins CWE-352
8.1
8.1
2019-01-09 CVE-2018-1000413 Cross-site Scripting vulnerability in Jenkins Config File Provider
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.
network
low complexity
jenkins CWE-79
5.4
5.4
2019-01-09 CVE-2018-1000412 Incorrect Authorization vulnerability in Jenkins Jira
An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-863
8.8
8.8
2019-01-09 CVE-2018-1000411 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Junit
A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.
network
low complexity
jenkins CWE-352
6.5
6.5
2019-01-09 CVE-2018-1000410 Information Exposure vulnerability in Jenkins
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.
local
low complexity
jenkins CWE-200
7.8
7.8