Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-08-23 CVE-2018-1999045 Improper Authentication vulnerability in Jenkins
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.
network
low complexity
jenkins CWE-287
5.4
5.4
2018-08-23 CVE-2018-1999044 Infinite Loop vulnerability in Jenkins
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
network
low complexity
jenkins CWE-835
6.5
6.5
2018-08-23 CVE-2018-1999042 Deserialization of Untrusted Data vulnerability in Jenkins
A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.
network
low complexity
jenkins CWE-502
5.3
5.3
2018-08-06 CVE-2017-2654 Information Exposure vulnerability in Jenkins Email Extension
jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure.
network
low complexity
jenkins CWE-200
5.3
5.3
2018-08-01 CVE-2018-1999041 Information Exposure vulnerability in Jenkins Tinfoil Security
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.
local
low complexity
jenkins CWE-200
5.5
5.5
2018-08-01 CVE-2018-1999039 Server-Side Request Forgery (SSRF) vulnerability in Jenkins Confluence Publisher
A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.
network
low complexity
jenkins CWE-918
4.3
4.3
2018-08-01 CVE-2018-1999038 Confused Deputy vulnerability in Jenkins Publish Over Cifs
A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.
network
high complexity
jenkins CWE-441
4.2
4.2
2018-08-01 CVE-2018-1999037 Improper Input Validation vulnerability in Jenkins Resource Disposer
A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource.
network
low complexity
jenkins CWE-20
4.3
4.3
2018-08-01 CVE-2018-1999036 Information Exposure Through Log Files vulnerability in Jenkins SSH Agent
An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log.
network
low complexity
jenkins CWE-532
6.5
6.5
2018-08-01 CVE-2018-1999031 Information Exposure vulnerability in Jenkins Meliora Testlab
An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration.
network
low complexity
jenkins CWE-200
6.5
6.5