Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-04-30 | CVE-2019-10312 | Missing Authorization vulnerability in Jenkins Ansible Tower A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | 4.3 |
| 2019-04-30 | CVE-2019-10308 | Missing Authorization vulnerability in Jenkins Static Analysis Utilities A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users. | 6.5 |
| 2019-04-30 | CVE-2019-10307 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Static Analysis Utilities A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. | 6.5 |
| 2019-04-18 | CVE-2019-10305 | Missing Authorization vulnerability in Jenkins Xebialabs XL Deploy A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | 6.5 |
| 2019-04-18 | CVE-2019-10304 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Deploy A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server. | 6.5 |
| 2019-04-10 | CVE-2019-1003050 | Cross-site Scripting vulnerability in multiple products The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. | 5.4 |
| 2019-04-04 | CVE-2019-10293 | Missing Authorization vulnerability in Jenkins Kmap A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | 6.5 |
| 2019-04-04 | CVE-2019-10292 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Kmap A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server. | 6.5 |
| 2019-04-04 | CVE-2019-10290 | Missing Authorization vulnerability in Jenkins Netsparker Cloud Scan A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | 6.5 |
| 2019-04-04 | CVE-2019-10289 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Netsparker Cloud Scan A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server. | 6.5 |