Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-12 | CVE-2019-10398 | Insufficiently Protected Credentials vulnerability in Jenkins Beaker Builder Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | 5.5 |
| 2019-09-12 | CVE-2019-10396 | Cross-site Scripting vulnerability in Jenkins Dashboard View Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions. | 5.4 |
| 2019-09-12 | CVE-2019-10395 | Cross-site Scripting vulnerability in Jenkins Build Environment Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties. | 5.4 |
| 2019-09-12 | CVE-2019-10394 | Unspecified vulnerability in Jenkins Script Security A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts. | 4.2 |
| 2019-09-12 | CVE-2019-10393 | Unspecified vulnerability in Jenkins Script Security A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. | 4.2 |
| 2019-08-28 | CVE-2019-10391 | Cleartext Transmission of Sensitive Information vulnerability in Jenkins IBM Application Security on Cloud Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. | 6.5 |
| 2019-08-28 | CVE-2019-10383 | Cross-site Scripting vulnerability in multiple products A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages. | 4.8 |
| 2019-08-07 | CVE-2019-10389 | Missing Authorization vulnerability in Jenkins Relution Enterprise Appstore Publisher 1.0/1.24 A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | 4.3 |
| 2019-08-07 | CVE-2019-10388 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Relution Enterprise Appstore Publisher 1.0/1.24 A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | 4.3 |
| 2019-08-07 | CVE-2019-10387 | Missing Authorization vulnerability in Jenkins XL Testview A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |