Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-01-09 | CVE-2018-1000413 | Cross-site Scripting vulnerability in Jenkins Config File Provider A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins. | 5.4 |
| 2019-01-09 | CVE-2018-1000411 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Junit A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. | 6.5 |
| 2019-01-09 | CVE-2018-1000409 | Session Fixation vulnerability in Jenkins A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account. | 5.4 |
| 2019-01-09 | CVE-2018-1000408 | Unspecified vulnerability in Jenkins A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory. | 6.5 |
| 2019-01-09 | CVE-2018-1000407 | Cross-site Scripting vulnerability in Jenkins A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. | 6.1 |
| 2019-01-09 | CVE-2018-1000406 | Path Traversal vulnerability in Jenkins A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. | 6.5 |
| 2018-12-10 | CVE-2018-1000864 | Infinite Loop vulnerability in multiple products A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. | 6.5 |
| 2018-12-10 | CVE-2018-1000862 | Information Exposure vulnerability in multiple products An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. | 4.3 |
| 2018-08-23 | CVE-2018-1999047 | Incorrect Authorization vulnerability in Jenkins A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. | 6.5 |
| 2018-08-23 | CVE-2018-1999046 | Information Exposure vulnerability in Jenkins A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. | 4.3 |