Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-10-05 CVE-2017-1000090 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Role-Based Authorization Strategy
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
network
jenkins CWE-352
6.8
6.8
2017-10-05 CVE-2017-1000089 Incorrect Default Permissions vulnerability in Jenkins Pipeline: Build Step
Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins.
network
low complexity
jenkins CWE-276
5.0
5.0
2017-10-05 CVE-2017-1000087 Information Exposure vulnerability in Jenkins Github Branch Source
GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use.
network
low complexity
jenkins CWE-200
4.0
4.0
2017-10-05 CVE-2017-1000086 Missing Authorization vulnerability in Jenkins Periodic Backup
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation.
network
jenkins CWE-862
6.0
6.0
2017-10-05 CVE-2017-1000085 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Subversion
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g.
network
jenkins CWE-352
4.3
4.3
2017-10-05 CVE-2017-1000084 Incorrect Default Permissions vulnerability in Jenkins Parameterized Trigger
Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.
network
low complexity
jenkins CWE-276
4.0
4.0
2017-09-12 CVE-2014-9635 7PK - Security Features vulnerability in Jenkins
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
network
low complexity
jenkins apache CWE-254
5.0
5.0
2017-09-12 CVE-2014-9634 7PK - Security Features vulnerability in Jenkins
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
network
low complexity
jenkins apache CWE-254
5.0
5.0
2017-07-17 CVE-2017-1000362 Information Exposure vulnerability in Jenkins
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key.
network
low complexity
jenkins CWE-200
5.0
5.0
2017-02-09 CVE-2016-4988 Cross-site Scripting vulnerability in Jenkins Build Failure Analyzer
Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
network
jenkins CWE-79
4.3
4.3