Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-08-01 CVE-2018-1999030 Information Exposure vulnerability in Jenkins Maven Artifact Choicelistprovider (Nexus)
An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
network
low complexity
jenkins CWE-200
5.4
2018-08-01 CVE-2018-1999029 Cross-site Scripting vulnerability in Jenkins Shelve Project
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
network
low complexity
jenkins CWE-79
5.4
2018-08-01 CVE-2018-1999026 Server-Side Request Forgery (SSRF) vulnerability in Jenkins Tracetronic Ecu-Test
A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host.
network
low complexity
jenkins CWE-918
6.5
2018-07-27 CVE-2017-2648 Improper Certificate Validation vulnerability in Jenkins SSH Slaves
It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
network
high complexity
jenkins CWE-295
5.6
2018-07-23 CVE-2018-1999007 Cross-site Scripting vulnerability in multiple products
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.
network
low complexity
jenkins oracle CWE-79
5.4
2018-07-23 CVE-2018-1999006 Information Exposure vulnerability in Jenkins
A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.
network
low complexity
jenkins CWE-200
4.3
2018-07-23 CVE-2018-1999005 Cross-site Scripting vulnerability in multiple products
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
network
low complexity
jenkins oracle CWE-79
5.4
2018-07-23 CVE-2018-1999004 Incorrect Authorization vulnerability in multiple products
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.
network
low complexity
jenkins oracle CWE-863
4.3
2018-07-23 CVE-2018-1999003 Incorrect Authorization vulnerability in multiple products
A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.
network
low complexity
jenkins oracle CWE-863
4.3
2018-07-09 CVE-2018-1000402 Information Exposure vulnerability in Jenkins AWS Codedeploy
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables.
network
low complexity
jenkins CWE-200
4.3