Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-03-28 CVE-2019-1003042 Cross-site Scripting vulnerability in Jenkins Lockable Resources
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.
network
low complexity
jenkins CWE-79
5.4
2019-03-08 CVE-2019-1003037 Missing Authorization vulnerability in Jenkins Azure VM Agents
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
network
low complexity
jenkins CWE-862
6.5
2019-03-08 CVE-2019-1003036 Missing Authorization vulnerability in Jenkins Azure VM Agents
A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.
network
low complexity
jenkins CWE-862
4.3
2019-03-08 CVE-2019-1003035 Missing Authorization vulnerability in Jenkins Azure VM Agents
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration.
network
low complexity
jenkins CWE-862
4.3
2019-02-20 CVE-2019-1003028 Server-Side Request Forgery (SSRF) vulnerability in Jenkins JMS Messaging
A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint.
network
low complexity
jenkins CWE-918
4.3
2019-02-20 CVE-2019-1003027 Server-Side Request Forgery (SSRF) vulnerability in Jenkins Octopusdeploy
A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise.
network
low complexity
jenkins CWE-918
4.3
2019-02-20 CVE-2019-1003026 Server-Side Request Forgery (SSRF) vulnerability in Jenkins Mattermost
A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message.
network
low complexity
jenkins CWE-918
4.3
2019-02-06 CVE-2019-1003023 Cross-site Scripting vulnerability in Jenkins Warnings Next Generation 1.0.0/1.0.1
A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML.
network
low complexity
jenkins CWE-79
6.1
2019-02-06 CVE-2019-1003022 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Monitoring 1.73.0/1.73.1/1.74.0
A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.
network
low complexity
jenkins CWE-352
6.5
2019-02-06 CVE-2019-1003021 Information Exposure vulnerability in Jenkins Openid Connect Authentication
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g.
network
low complexity
jenkins CWE-200
4.3