Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-02-16 CVE-2018-1000067 Server-Side Request Forgery (SSRF) vulnerability in multiple products
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
network
low complexity
jenkins oracle CWE-918
5.3
2018-02-09 CVE-2018-1000057 Insufficiently Protected Credentials vulnerability in Jenkins Credentials Binding
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs.
network
low complexity
jenkins CWE-522
4.3
2018-01-29 CVE-2017-1000355 Deserialization of Untrusted Data vulnerability in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
network
low complexity
jenkins CWE-502
6.5
2018-01-26 CVE-2017-1000404 Cross-site Scripting vulnerability in Jenkins Delivery Pipeline
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.
network
low complexity
jenkins CWE-79
6.1
2018-01-26 CVE-2017-1000402 Improper Input Validation vulnerability in Jenkins Swarm
Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
network
high complexity
jenkins CWE-20
5.9
2018-01-26 CVE-2017-1000400 Missing Authorization vulnerability in Jenkins
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects.
network
low complexity
jenkins CWE-862
4.3
2018-01-26 CVE-2017-1000399 Information Exposure vulnerability in Jenkins
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start).
network
low complexity
jenkins CWE-200
4.3
2018-01-26 CVE-2017-1000398 Information Exposure vulnerability in Jenkins
The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent.
network
low complexity
jenkins CWE-200
4.3
2018-01-26 CVE-2017-1000397 Improper Input Validation vulnerability in Jenkins Maven
Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
network
high complexity
jenkins CWE-20
5.9
2018-01-26 CVE-2017-1000396 Improper Certificate Validation vulnerability in Jenkins
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
network
high complexity
jenkins CWE-295
5.9