Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-26 | CVE-2017-1000388 | Missing Authorization vulnerability in Jenkins Dependency Graph Viewer Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data. | 4.3 |
| 2018-01-26 | CVE-2017-1000387 | Insufficiently Protected Credentials vulnerability in Jenkins Build-Publisher Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. | 7.8 |
| 2018-01-26 | CVE-2017-1000386 | Cross-site Scripting vulnerability in Jenkins Active Choices Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. | 5.4 |
| 2018-01-25 | CVE-2017-1000505 | Information Exposure vulnerability in Jenkins Script Security In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. | 6.5 |
| 2018-01-24 | CVE-2017-1000504 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. | 8.1 |
| 2018-01-24 | CVE-2017-1000503 | Race Condition vulnerability in Jenkins A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. | 8.1 |
| 2018-01-24 | CVE-2017-1000502 | OS Command Injection vulnerability in Jenkins EC2 Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. | 8.8 |
| 2018-01-23 | CVE-2018-1000015 | Missing Authorization vulnerability in Jenkins Pipeline Nodes and Processes On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. | 4.8 |
| 2018-01-23 | CVE-2018-1000014 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Translation Assistance Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. | 8.8 |
| 2018-01-23 | CVE-2018-1000013 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Release Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. | 8.8 |