Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-08-01 | CVE-2018-1999038 | Confused Deputy vulnerability in Jenkins Publish Over Cifs A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. | 4.2 |
| 2018-08-01 | CVE-2018-1999037 | Improper Input Validation vulnerability in Jenkins Resource Disposer A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource. | 4.3 |
| 2018-08-01 | CVE-2018-1999036 | Information Exposure Through Log Files vulnerability in Jenkins SSH Agent An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. | 6.5 |
| 2018-08-01 | CVE-2018-1999031 | Information Exposure vulnerability in Jenkins Meliora Testlab An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. | 6.5 |
| 2018-08-01 | CVE-2018-1999030 | Information Exposure vulnerability in Jenkins Maven Artifact Choicelistprovider (Nexus) An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | 5.4 |
| 2018-08-01 | CVE-2018-1999029 | Cross-site Scripting vulnerability in Jenkins Shelve Project A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | 5.4 |
| 2018-08-01 | CVE-2018-1999026 | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Tracetronic Ecu-Test A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host. | 6.5 |
| 2018-07-27 | CVE-2017-2648 | Improper Certificate Validation vulnerability in Jenkins SSH Slaves It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks. | 5.6 |
| 2018-07-23 | CVE-2018-1999007 | Cross-site Scripting vulnerability in multiple products A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. | 5.4 |
| 2018-07-23 | CVE-2018-1999006 | Information Exposure vulnerability in Jenkins A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. | 4.3 |