Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-26 | CVE-2017-1000390 | Missing Authorization vulnerability in Jenkins Multijob Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build. | 4.0 |
| 2018-01-26 | CVE-2017-1000389 | Cross-site Scripting vulnerability in Jenkins Global-Build-Stats Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. | 4.3 |
| 2018-01-26 | CVE-2017-1000388 | Missing Authorization vulnerability in Jenkins Dependency Graph Viewer Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data. | 4.0 |
| 2018-01-25 | CVE-2017-1000505 | Information Exposure vulnerability in Jenkins Script Security In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. | 4.0 |
| 2018-01-24 | CVE-2017-1000504 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. | 6.8 |
| 2018-01-24 | CVE-2017-1000503 | Race Condition vulnerability in Jenkins A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. | 6.8 |
| 2018-01-23 | CVE-2018-1000015 | Missing Authorization vulnerability in Jenkins Pipeline Nodes and Processes On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. | 4.9 |
| 2018-01-23 | CVE-2018-1000014 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Translation Assistance Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. | 6.8 |
| 2018-01-23 | CVE-2018-1000013 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Release Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. | 6.8 |
| 2018-01-23 | CVE-2018-1000012 | XXE vulnerability in Jenkins Warnings Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | 6.5 |