Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-04-30 CVE-2019-10312 Missing Authorization vulnerability in Jenkins Ansible Tower
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
4.3
2019-04-30 CVE-2019-10308 Missing Authorization vulnerability in Jenkins Static Analysis Utilities
A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users.
network
low complexity
jenkins CWE-862
6.5
2019-04-30 CVE-2019-10307 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Static Analysis Utilities
A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.
network
low complexity
jenkins CWE-352
6.5
2019-04-18 CVE-2019-10305 Missing Authorization vulnerability in Jenkins Xebialabs XL Deploy
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-862
6.5
2019-04-18 CVE-2019-10304 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Deploy
A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-352
6.5
2019-04-10 CVE-2019-1003050 Cross-site Scripting vulnerability in multiple products
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
network
low complexity
jenkins oracle redhat CWE-79
5.4
2019-04-04 CVE-2019-10293 Missing Authorization vulnerability in Jenkins Kmap
A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-862
6.5
2019-04-04 CVE-2019-10292 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Kmap
A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-352
6.5
2019-04-04 CVE-2019-10290 Missing Authorization vulnerability in Jenkins Netsparker Cloud Scan
A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-862
6.5
2019-04-04 CVE-2019-10289 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Netsparker Cloud Scan
A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-352
6.5