Vulnerabilities > Jenkins

DATE CVE VULNERABILITY TITLE RISK
2017-09-12 CVE-2014-9635 7PK - Security Features vulnerability in Jenkins
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
network
low complexity
jenkins CWE-254
5.3
2017-09-12 CVE-2014-9634 7PK - Security Features vulnerability in Jenkins
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
network
low complexity
jenkins CWE-254
5.3
2017-07-17 CVE-2017-1000362 Information Exposure vulnerability in Jenkins
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key.
network
low complexity
jenkins CWE-200
critical
9.8
2017-02-09 CVE-2016-4988 Cross-site Scripting vulnerability in Jenkins Build Failure Analyzer
Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
network
low complexity
jenkins CWE-79
6.1
2017-02-09 CVE-2016-4987 Path Traversal vulnerability in Jenkins Image Gallery
Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields.
network
low complexity
jenkins CWE-22
6.5
2017-02-09 CVE-2016-4986 Path Traversal vulnerability in Jenkins TAP
Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter.
network
low complexity
jenkins CWE-22
7.5
2017-02-09 CVE-2016-3102 7PK - Security Features vulnerability in Jenkins Script Security
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
network
low complexity
jenkins CWE-254
7.3
2017-02-09 CVE-2016-3101 Cross-site Scripting vulnerability in Jenkins Extra Columns
Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter.
network
low complexity
jenkins CWE-79
5.4
2017-01-12 CVE-2016-9299 LDAP Injection vulnerability in multiple products
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
network
low complexity
jenkins fedoraproject CWE-90
critical
9.8
2016-05-17 CVE-2016-3727 Information Exposure vulnerability in multiple products
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
network
low complexity
jenkins redhat CWE-200
4.3