Vulnerabilities > Jenkins
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-09-12 | CVE-2014-9635 | 7PK - Security Features vulnerability in Jenkins Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. | 5.3 |
2017-09-12 | CVE-2014-9634 | 7PK - Security Features vulnerability in Jenkins Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. | 5.3 |
2017-07-17 | CVE-2017-1000362 | Information Exposure vulnerability in Jenkins The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. | 9.8 |
2017-02-09 | CVE-2016-4988 | Cross-site Scripting vulnerability in Jenkins Build Failure Analyzer Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. | 6.1 |
2017-02-09 | CVE-2016-4987 | Path Traversal vulnerability in Jenkins Image Gallery Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields. | 6.5 |
2017-02-09 | CVE-2016-4986 | Path Traversal vulnerability in Jenkins TAP Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter. | 7.5 |
2017-02-09 | CVE-2016-3102 | 7PK - Security Features vulnerability in Jenkins Script Security The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations. | 7.3 |
2017-02-09 | CVE-2016-3101 | Cross-site Scripting vulnerability in Jenkins Extra Columns Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter. | 5.4 |
2017-01-12 | CVE-2016-9299 | LDAP Injection vulnerability in multiple products The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | 9.8 |
2016-05-17 | CVE-2016-3727 | Information Exposure vulnerability in multiple products The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. | 4.3 |