Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-01-09 CVE-2018-1000413 Cross-site Scripting vulnerability in Jenkins Config File Provider
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.
network
low complexity
jenkins CWE-79
5.4
2019-01-09 CVE-2018-1000411 Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Junit
A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.
network
low complexity
jenkins CWE-352
6.5
2019-01-09 CVE-2018-1000409 Session Fixation vulnerability in Jenkins
A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account.
network
low complexity
jenkins CWE-384
5.4
2019-01-09 CVE-2018-1000408 Unspecified vulnerability in Jenkins
A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.
network
low complexity
jenkins
6.5
2019-01-09 CVE-2018-1000407 Cross-site Scripting vulnerability in Jenkins
A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins.
network
low complexity
jenkins CWE-79
6.1
2019-01-09 CVE-2018-1000406 Path Traversal vulnerability in Jenkins
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
network
low complexity
jenkins CWE-22
6.5
2018-12-10 CVE-2018-1000864 Infinite Loop vulnerability in multiple products
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
network
low complexity
jenkins redhat CWE-835
6.5
2018-12-10 CVE-2018-1000862 Information Exposure vulnerability in multiple products
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.
network
low complexity
jenkins redhat CWE-200
4.3
2018-08-23 CVE-2018-1999047 Incorrect Authorization vulnerability in Jenkins
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.
network
low complexity
jenkins CWE-863
6.5
2018-08-23 CVE-2018-1999046 Information Exposure vulnerability in Jenkins
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.
network
low complexity
jenkins CWE-200
4.3