Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-03 | CVE-2020-2198 | Insufficiently Protected Credentials vulnerability in Jenkins Project Inheritance Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure. | 6.5 |
| 2020-06-03 | CVE-2020-2197 | Incorrect Default Permissions vulnerability in Jenkins Project Inheritance Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format. | 4.3 |
| 2020-06-03 | CVE-2020-2195 | Cross-site Scripting vulnerability in Jenkins Compact Columns Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission. | 5.4 |
| 2020-06-03 | CVE-2020-2194 | Cross-site Scripting vulnerability in Jenkins Echarts API Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability. | 5.4 |
| 2020-06-03 | CVE-2020-2193 | Cross-site Scripting vulnerability in Jenkins Echarts API Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability. | 5.4 |
| 2020-06-03 | CVE-2020-2192 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Self-Organizing Swarm Modules A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels. | 6.5 |
| 2020-06-03 | CVE-2020-2191 | Incorrect Default Permissions vulnerability in Jenkins Self-Organizing Swarm Modules Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels. | 4.3 |
| 2020-06-03 | CVE-2020-2190 | Cross-site Scripting vulnerability in Jenkins Script Security Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability. | 5.4 |
| 2020-05-06 | CVE-2020-2188 | Incorrect Authorization vulnerability in Jenkins Amazon EC2 A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | 4.3 |
| 2020-05-06 | CVE-2020-2187 | Improper Certificate Validation vulnerability in Jenkins Amazon EC2 Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks. | 5.6 |