Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-05-21 CVE-2019-10320 File and Directory Information Exposure vulnerability in Jenkins Credentials
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
network
low complexity
jenkins CWE-538
4.3
2019-05-21 CVE-2019-10319 Missing Authorization vulnerability in Jenkins Pluggable Authentication Module
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
network
low complexity
jenkins CWE-862
4.3
2019-04-30 CVE-2019-10317 Improper Certificate Validation vulnerability in Jenkins Sitemonitor
Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.
network
high complexity
jenkins CWE-295
5.9
2019-04-30 CVE-2019-10314 Improper Certificate Validation vulnerability in Jenkins Koji
Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.
network
high complexity
jenkins CWE-295
5.9
2019-04-30 CVE-2019-10312 Missing Authorization vulnerability in Jenkins Ansible Tower
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
4.3
2019-04-30 CVE-2019-10308 Missing Authorization vulnerability in Jenkins Static Analysis Utilities
A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users.
network
low complexity
jenkins CWE-862
6.5
2019-04-30 CVE-2019-10307 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Static Analysis Utilities
A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.
network
low complexity
jenkins CWE-352
6.5
2019-04-18 CVE-2019-10305 Missing Authorization vulnerability in Jenkins Xebialabs XL Deploy
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-862
6.5
2019-04-18 CVE-2019-10304 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Deploy
A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.
network
low complexity
jenkins CWE-352
6.5
2019-04-10 CVE-2019-1003050 Cross-site Scripting vulnerability in multiple products
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
network
low complexity
jenkins oracle redhat CWE-79
5.4