Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-01-23 CVE-2018-1000997 Path Traversal vulnerability in Jenkins
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.
network
low complexity
jenkins CWE-22
4.0
2019-01-09 CVE-2018-1000426 Cross-site Scripting vulnerability in Jenkins GIT Changelog
A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.
network
jenkins CWE-79
4.3
2019-01-09 CVE-2018-1000417 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Email Extension Template
A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates.
network
jenkins CWE-352
5.8
2019-01-09 CVE-2018-1000414 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Config File Provider
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.
network
jenkins CWE-352
5.8
2019-01-09 CVE-2018-1000413 Cross-site Scripting vulnerability in Jenkins Config File Provider
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.
network
low complexity
jenkins CWE-79
5.4
2019-01-09 CVE-2018-1000412 Incorrect Authorization vulnerability in Jenkins Jira
An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
jenkins CWE-863
4.0
2019-01-09 CVE-2018-1000411 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Junit
A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.
network
jenkins CWE-352
4.3
2019-01-09 CVE-2018-1000409 Session Fixation vulnerability in Jenkins
A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account.
network
jenkins CWE-384
5.8
2019-01-09 CVE-2018-1000408 Unspecified vulnerability in Jenkins
A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.
network
low complexity
jenkins
6.4
2019-01-09 CVE-2018-1000407 Cross-site Scripting vulnerability in Jenkins
A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins.
network
jenkins CWE-79
4.3