Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-29 | CVE-2017-1000356 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | 8.8 |
| 2018-01-29 | CVE-2017-1000355 | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | 6.5 |
| 2018-01-29 | CVE-2017-1000354 | Improper Authentication vulnerability in Jenkins Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. | 8.8 |
| 2018-01-29 | CVE-2017-1000353 | Deserialization of Untrusted Data vulnerability in multiple products Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. | 9.8 |
| 2018-01-26 | CVE-2017-1000404 | Cross-site Scripting vulnerability in Jenkins Delivery Pipeline The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. | 6.1 |
| 2018-01-26 | CVE-2017-1000403 | Incorrect Permission Assignment for Critical Resource vulnerability in Jenkins Speaks! 0.1/0.1.1 Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts. | 8.8 |
| 2018-01-26 | CVE-2017-1000402 | Improper Input Validation vulnerability in Jenkins Swarm Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | 5.9 |
| 2018-01-26 | CVE-2017-1000401 | Improper Input Validation vulnerability in Jenkins The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. | 2.2 |
| 2018-01-26 | CVE-2017-1000400 | Missing Authorization vulnerability in Jenkins The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. | 4.3 |
| 2018-01-26 | CVE-2017-1000399 | Information Exposure vulnerability in Jenkins The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). | 4.3 |