Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-05 | CVE-2018-1000189 | Unspecified vulnerability in Jenkins Absint Astree A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master. | 8.8 |
| 2018-05-15 | CVE-2017-2608 | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | 8.8 |
| 2018-04-05 | CVE-2018-1000153 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Vsphere A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). | 8.8 |
| 2018-04-05 | CVE-2018-1000146 | Unspecified vulnerability in Jenkins Liquibase Runner An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM. | 8.8 |
| 2018-04-05 | CVE-2018-1000142 | Information Exposure vulnerability in Jenkins Github Pull Request Builder An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. | 7.8 |
| 2018-03-27 | CVE-2018-8718 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Mailer Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. | 8.0 |
| 2018-03-13 | CVE-2018-1000104 | Insufficiently Protected Credentials vulnerability in Jenkins Coverity A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. | 7.8 |
| 2018-02-09 | CVE-2018-1000058 | Deserialization of Untrusted Data vulnerability in Jenkins Pipeline Supporting Apis 2.15/2.16/2.17 Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. | 8.8 |
| 2018-02-09 | CVE-2018-1000056 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Junit Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | 8.3 |
| 2018-02-09 | CVE-2018-1000055 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Android Lint Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | 8.3 |