Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-08-01 | CVE-2018-1999035 | Improper Certificate Validation vulnerability in Jenkins Inedo Buildmaster 1.0/1.2/1.3 A man in the middle vulnerability exists in Jenkins Inedo BuildMaster Plugin 1.3 and earlier in BuildMasterConfiguration.java, BuildMasterConfig.java, BuildMasterApi.java that allows attackers to impersonate any service that Jenkins connects to. | 7.4 |
| 2018-08-01 | CVE-2018-1999034 | Improper Certificate Validation vulnerability in Jenkins Inedo Proget A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugin 0.8 and earlier in ProGetApi.java, ProGetConfig.java, ProGetConfiguration.java that allows attackers to impersonate any service that Jenkins connects to. | 7.4 |
| 2018-08-01 | CVE-2018-1999028 | Information Exposure vulnerability in Jenkins Accurev An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | 8.8 |
| 2018-08-01 | CVE-2018-1999027 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Saltstack An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | 7.5 |
| 2018-08-01 | CVE-2018-1999025 | Improper Certificate Validation vulnerability in Jenkins Tracetronic Ecu-Test A man in the middle vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java, ATXValidator.java that allows attackers to impersonate any service that Jenkins connects to. | 7.4 |
| 2018-07-27 | CVE-2017-2652 | Improper Authentication vulnerability in Jenkins Distributed Fork It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes. | 8.8 |
| 2018-07-27 | CVE-2017-2650 | Unspecified vulnerability in Jenkins Pipeline Classpath Step 0.1.0 It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. | 8.5 |
| 2018-07-27 | CVE-2017-2649 | Improper Certificate Validation vulnerability in Jenkins Active Directory It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. | 8.1 |
| 2018-07-23 | CVE-2018-1999002 | A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. | 7.5 |
| 2018-07-23 | CVE-2018-1999001 | A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. | 8.8 |