Vulnerabilities > Jenkins > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-05-21 | CVE-2019-10320 | File and Directory Information Exposure vulnerability in Jenkins Credentials Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate. | 4.3 |
2019-05-21 | CVE-2019-10319 | Missing Authorization vulnerability in Jenkins Pluggable Authentication Module A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as. | 4.3 |
2019-04-30 | CVE-2019-10317 | Improper Certificate Validation vulnerability in Jenkins Sitemonitor Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. | 5.9 |
2019-04-30 | CVE-2019-10314 | Improper Certificate Validation vulnerability in Jenkins Koji Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | 5.9 |
2019-04-30 | CVE-2019-10312 | Missing Authorization vulnerability in Jenkins Ansible Tower A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | 4.3 |
2019-04-30 | CVE-2019-10308 | Missing Authorization vulnerability in Jenkins Static Analysis Utilities A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users. | 6.5 |
2019-04-30 | CVE-2019-10307 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Static Analysis Utilities A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. | 6.5 |
2019-04-18 | CVE-2019-10305 | Missing Authorization vulnerability in Jenkins Xebialabs XL Deploy A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | 6.5 |
2019-04-18 | CVE-2019-10304 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Deploy A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server. | 6.5 |
2019-04-10 | CVE-2019-1003050 | Cross-site Scripting vulnerability in multiple products The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. | 5.4 |