Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-01-09 CVE-2018-1000406 Path Traversal vulnerability in Jenkins
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
network
low complexity
jenkins CWE-22
4.0
2018-12-10 CVE-2018-1000866 Improper Privilege Management vulnerability in multiple products
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM
network
low complexity
jenkins redhat CWE-269
6.5
2018-12-10 CVE-2018-1000865 Improper Privilege Management vulnerability in multiple products
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed.
network
low complexity
jenkins redhat CWE-269
6.5
2018-12-10 CVE-2018-1000864 Infinite Loop vulnerability in Jenkins
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
network
low complexity
jenkins redhat CWE-835
4.0
2018-12-10 CVE-2018-1000863 Path Traversal vulnerability in Jenkins
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
network
low complexity
jenkins redhat CWE-22
6.4
2018-12-10 CVE-2018-1000862 Information Exposure vulnerability in Jenkins
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.
network
low complexity
jenkins redhat CWE-200
4.0
2018-08-23 CVE-2018-1999047 Incorrect Authorization vulnerability in Jenkins
A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.
network
low complexity
jenkins CWE-863
4.0
2018-08-23 CVE-2018-1999046 Information Exposure vulnerability in Jenkins
A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.
network
low complexity
jenkins CWE-200
4.0
2018-08-23 CVE-2018-1999045 Improper Authentication vulnerability in Jenkins
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.
network
low complexity
jenkins CWE-287
5.5
2018-08-23 CVE-2018-1999044 Infinite Loop vulnerability in Jenkins
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
network
low complexity
jenkins CWE-835
4.0