Vulnerabilities > Jenkins > High

DATE CVE VULNERABILITY TITLE RISK
2017-10-05 CVE-2017-1000107 Unspecified vulnerability in Jenkins Script Security 1.30
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions.
network
low complexity
jenkins
8.8
8.8
2017-10-05 CVE-2017-1000106 Improper Authentication vulnerability in Jenkins Blue Ocean
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins.
network
low complexity
jenkins CWE-287
8.5
8.5
2017-10-05 CVE-2017-1000096 Incorrect Permission Assignment for Critical Resource vulnerability in Jenkins Pipeline: Groovy
Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code.
network
low complexity
jenkins CWE-732
8.8
8.8
2017-10-05 CVE-2017-1000093 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Poll SCM
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
network
low complexity
jenkins CWE-352
8.8
8.8
2017-10-05 CVE-2017-1000092 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins GIT
Git Plugin connects to a user-specified Git repository as part of form validation.
network
high complexity
jenkins CWE-352
7.5
7.5
2017-10-05 CVE-2017-1000090 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Role-Based Authorization Strategy
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
network
low complexity
jenkins CWE-352
8.8
8.8
2017-10-05 CVE-2017-1000086 Missing Authorization vulnerability in Jenkins Periodic Backup
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation.
network
low complexity
jenkins CWE-862
8.0
8.0
2017-02-09 CVE-2016-4986 Path Traversal vulnerability in Jenkins TAP
Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter.
network
low complexity
jenkins CWE-22
7.5
7.5
2017-02-09 CVE-2016-3102 7PK - Security Features vulnerability in Jenkins Script Security
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
network
low complexity
jenkins CWE-254
7.3
7.3
2016-05-17 CVE-2016-3726 Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.
network
low complexity
jenkins redhat
7.4
7.4