Vulnerabilities > Jenkins > Critical

DATE CVE VULNERABILITY TITLE RISK
2019-03-08 CVE-2019-1003029 A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
network
low complexity
jenkins redhat
critical
9.9
2019-02-06 CVE-2019-1003015 XXE vulnerability in Jenkins JOB Import
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.
network
low complexity
jenkins CWE-611
critical
9.1
2018-12-10 CVE-2018-1000861 Deserialization of Untrusted Data vulnerability in multiple products
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
network
low complexity
jenkins redhat CWE-502
critical
10.0
2018-07-27 CVE-2017-2652 Improper Authentication vulnerability in Jenkins Distributed Fork
It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.
network
low complexity
jenkins CWE-287
critical
9.0
2018-01-26 CVE-2017-1000393 OS Command Injection vulnerability in Jenkins
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'.
network
low complexity
jenkins CWE-78
critical
9.0
2018-01-24 CVE-2017-1000502 OS Command Injection vulnerability in Jenkins EC2
Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched.
network
low complexity
jenkins CWE-78
critical
9.0
2017-01-12 CVE-2016-9299 LDAP Injection vulnerability in multiple products
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
network
low complexity
jenkins fedoraproject CWE-90
critical
9.8
2016-04-07 CVE-2016-0792 Improper Input Validation vulnerability in Jenkins
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
network
low complexity
jenkins redhat CWE-20
critical
9.0
2016-04-07 CVE-2016-0788 Permissions, Privileges, and Access Controls vulnerability in Jenkins
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
network
low complexity
jenkins redhat CWE-264
critical
10.0
2015-11-25 CVE-2015-8103 Deserialization of Untrusted Data vulnerability in multiple products
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
network
low complexity
redhat jenkins CWE-502
critical
9.8