Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-12-10 | CVE-2018-1000866 | Improper Privilege Management vulnerability in multiple products A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | 8.8 |
| 2018-12-10 | CVE-2018-1000865 | Improper Privilege Management vulnerability in multiple products A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | 8.8 |
| 2018-12-10 | CVE-2018-1000864 | Infinite Loop vulnerability in multiple products A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | 6.5 |
| 2018-12-10 | CVE-2018-1000863 | Path Traversal vulnerability in multiple products A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. | 8.2 |
| 2018-12-10 | CVE-2018-1000862 | Information Exposure vulnerability in multiple products An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. | 4.3 |
| 2018-12-10 | CVE-2018-1000861 | Deserialization of Untrusted Data vulnerability in multiple products A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | 9.8 |
| 2018-08-23 | CVE-2018-1999047 | Incorrect Authorization vulnerability in Jenkins A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. | 6.5 |
| 2018-08-23 | CVE-2018-1999046 | Information Exposure vulnerability in Jenkins A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. | 4.3 |
| 2018-08-23 | CVE-2018-1999045 | Improper Authentication vulnerability in Jenkins A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. | 5.4 |
| 2018-08-23 | CVE-2018-1999044 | Infinite Loop vulnerability in Jenkins A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | 6.5 |