Vulnerabilities > Jenkins > Critical

DATE CVE VULNERABILITY TITLE RISK
2019-03-08 CVE-2019-1003031 A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
network
low complexity
jenkins redhat
critical
9.9
2019-03-08 CVE-2019-1003030 A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
network
low complexity
jenkins redhat
critical
9.9
2019-03-08 CVE-2019-1003029 A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
network
low complexity
jenkins redhat
critical
9.9
2019-02-06 CVE-2019-1003015 XXE vulnerability in Jenkins JOB Import
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.
network
low complexity
jenkins CWE-611
critical
9.1
2018-12-10 CVE-2018-1000861 Deserialization of Untrusted Data vulnerability in multiple products
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
network
low complexity
jenkins redhat CWE-502
critical
9.8
2018-01-29 CVE-2017-1000353 Deserialization of Untrusted Data vulnerability in multiple products
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution.
network
low complexity
jenkins oracle CWE-502
critical
9.8
2017-11-01 CVE-2017-1000245 Insufficiently Protected Credentials vulnerability in Jenkins SSH
The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol.
network
low complexity
jenkins CWE-522
critical
9.8
2017-07-17 CVE-2017-1000362 Information Exposure vulnerability in Jenkins
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key.
network
low complexity
jenkins CWE-200
critical
9.8
2017-01-12 CVE-2016-9299 LDAP Injection vulnerability in multiple products
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
network
low complexity
jenkins fedoraproject CWE-90
critical
9.8
2016-04-07 CVE-2016-0791 Information Exposure vulnerability in multiple products
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.
network
low complexity
redhat jenkins CWE-200
critical
9.8