Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-01-26 CVE-2017-1000403 Incorrect Permission Assignment for Critical Resource vulnerability in Jenkins Speaks! 0.1/0.1.1
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.
network
low complexity
jenkins CWE-732
6.5
2018-01-26 CVE-2017-1000402 Improper Input Validation vulnerability in Jenkins Swarm
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
network
jenkins CWE-20
4.3
2018-01-26 CVE-2017-1000400 Missing Authorization vulnerability in Jenkins
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects.
network
low complexity
jenkins CWE-862
4.0
2018-01-26 CVE-2017-1000399 Information Exposure vulnerability in Jenkins
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start).
network
low complexity
jenkins CWE-200
4.0
2018-01-26 CVE-2017-1000398 Information Exposure vulnerability in Jenkins
The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent.
network
low complexity
jenkins CWE-200
4.0
2018-01-26 CVE-2017-1000397 Improper Input Validation vulnerability in Jenkins Maven
Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
network
jenkins CWE-20
4.3
2018-01-26 CVE-2017-1000396 Improper Certificate Validation vulnerability in Jenkins
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
network
jenkins CWE-295
4.3
2018-01-26 CVE-2017-1000395 Information Exposure vulnerability in Jenkins
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API.
network
low complexity
jenkins CWE-200
4.0
2018-01-26 CVE-2017-1000394 Improper Input Validation vulnerability in Jenkins
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092.
network
low complexity
jenkins CWE-20
5.0
2018-01-26 CVE-2017-1000391 Improper Input Validation vulnerability in Jenkins
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk.
network
jenkins CWE-20
4.9