Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-03-28 | CVE-2019-1003042 | Cross-site Scripting vulnerability in Jenkins Lockable Resources A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. | 5.4 |
| 2019-03-08 | CVE-2019-1003037 | Missing Authorization vulnerability in Jenkins Azure VM Agents An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 6.5 |
| 2019-03-08 | CVE-2019-1003036 | Missing Authorization vulnerability in Jenkins Azure VM Agents A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent. | 4.3 |
| 2019-03-08 | CVE-2019-1003035 | Missing Authorization vulnerability in Jenkins Azure VM Agents An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration. | 4.3 |
| 2019-02-20 | CVE-2019-1003028 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins JMS Messaging A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint. | 4.3 |
| 2019-02-20 | CVE-2019-1003027 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Octopusdeploy A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise. | 4.3 |
| 2019-02-20 | CVE-2019-1003026 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Mattermost A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message. | 4.3 |
| 2019-02-06 | CVE-2019-1003023 | Cross-site Scripting vulnerability in Jenkins Warnings Next Generation 1.0.0/1.0.1 A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML. | 6.1 |
| 2019-02-06 | CVE-2019-1003022 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Monitoring 1.73.0/1.73.1/1.74.0 A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master. | 6.5 |
| 2019-02-06 | CVE-2019-1003021 | Information Exposure vulnerability in Jenkins Openid Connect Authentication An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. | 4.3 |