Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-08-01 | CVE-2018-1999030 | Information Exposure vulnerability in Jenkins Maven Artifact Choicelistprovider (Nexus) An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | 4.0 |
| 2018-08-01 | CVE-2018-1999029 | Cross-site Scripting vulnerability in Jenkins Shelve Project A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | 3.5 |
| 2018-08-01 | CVE-2018-1999028 | Information Exposure vulnerability in Jenkins Accurev An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | 4.0 |
| 2018-08-01 | CVE-2018-1999027 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Saltstack An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | 6.8 |
| 2018-08-01 | CVE-2018-1999026 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Tracetronic Ecu-Test A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host. | 4.0 |
| 2018-08-01 | CVE-2018-1999025 | Improper Certificate Validation vulnerability in Jenkins Tracetronic Ecu-Test A man in the middle vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java, ATXValidator.java that allows attackers to impersonate any service that Jenkins connects to. | 5.8 |
| 2018-07-27 | CVE-2017-2652 | Improper Authentication vulnerability in Jenkins Distributed Fork It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes. | 9.0 |
| 2018-07-27 | CVE-2017-2650 | Security Bypass vulnerability in Jenkins Pipeline Classpath Step 0.1.0 It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. network jenkins | 6.0 |
| 2018-07-27 | CVE-2017-2649 | Improper Certificate Validation vulnerability in Jenkins Active Directory It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. | 6.8 |
| 2018-07-27 | CVE-2017-2648 | Improper Certificate Validation vulnerability in Jenkins SSH Slaves It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks. | 6.8 |