Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-26 | CVE-2017-1000399 | Information Exposure vulnerability in Jenkins The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). | 4.3 |
| 2018-01-26 | CVE-2017-1000398 | Information Exposure vulnerability in Jenkins The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. | 4.3 |
| 2018-01-26 | CVE-2017-1000397 | Improper Input Validation vulnerability in Jenkins Maven Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | 5.9 |
| 2018-01-26 | CVE-2017-1000396 | Improper Certificate Validation vulnerability in Jenkins Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. | 5.9 |
| 2018-01-26 | CVE-2017-1000395 | Information Exposure vulnerability in Jenkins Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. | 4.3 |
| 2018-01-26 | CVE-2017-1000392 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. | 4.8 |
| 2018-01-26 | CVE-2017-1000390 | Missing Authorization vulnerability in Jenkins Multijob Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build. | 4.3 |
| 2018-01-26 | CVE-2017-1000389 | Cross-site Scripting vulnerability in Jenkins Global-Build-Stats Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. | 6.1 |
| 2018-01-26 | CVE-2017-1000388 | Missing Authorization vulnerability in Jenkins Dependency Graph Viewer Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data. | 4.3 |
| 2018-01-26 | CVE-2017-1000386 | Cross-site Scripting vulnerability in Jenkins Active Choices Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. | 5.4 |