VuXML ID | Description |
d6f76976-e86d-4f9a-9362-76c849b10db2 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-1452 / CVE-2021-21602
Arbitrary file read vulnerability in workspace browsers
(High) SECURITY-1889 / CVE-2021-21603
XSS vulnerability in notification bar
(High) SECURITY-1923 / CVE-2021-21604
Improper handling of REST API XML deserialization errors
(High) SECURITY-2021 / CVE-2021-21605
Path traversal vulnerability in agent names
(Medium) SECURITY-2023 / CVE-2021-21606
Arbitrary file existence check in file fingerprints
(Medium) SECURITY-2025 / CVE-2021-21607
Excessive memory allocation in graph URLs leads to denial of service
(High) SECURITY-2035 / CVE-2021-21608
Stored XSS vulnerability in button labels
(Low) SECURITY-2047 / CVE-2021-21609
Missing permission check for paths with specific prefix
(High) SECURITY-2153 / CVE-2021-21610
Reflected XSS vulnerability in markup formatter preview
(High) SECURITY-2171 / CVE-2021-21611
Stored XSS vulnerability on new item page
Discovery 2021-01-13 Entry 2021-01-13 jenkins
< 2.275
jenkins-lts
< 2.263.2
https://www.jenkins.io/security/advisory/2021-01-13/
|
2bf56269-90f8-4a82-b82f-c0e289f2a0dc | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Critical) SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control
(High) SECURITY-2423 / CVE-2021-21696
Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
(High) SECURITY-2428 / CVE-2021-21697
Agent-to-controller access control allows reading/writing most content of build directories
(Medium) SECURITY-2506 / CVE-2021-21698
Path traversal vulnerability in Subversion Plugin allows reading arbitrary files
Discovery 2021-11-04 Entry 2021-11-04 jenkins
< 2.319
jenkins-lts
< 2.303.3
CVE-2021-21685
CVE-2021-21686
CVE-2021-21687
CVE-2021-21688
CVE-2021-21689
CVE-2021-21690
CVE-2021-21691
CVE-2021-21692
CVE-2021-21693
CVE-2021-21694
CVE-2021-21695
CVE-2021-21696
CVE-2021-21697
CVE-2021-21698
https://www.jenkins.io/security/advisory/2021-11-04/
|
0b0ad196-1ee8-4a98-89b1-4d5d82af49a9 | jenkins -- DoS vulnerability in bundled XStream library
Jenkins Security Advisory:
Description
(Medium) SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)
DoS vulnerability in bundled XStream library
Discovery 2022-02-09 Entry 2022-02-10 jenkins
< 2.334
jenkins-lts
< 2.319.3
CVE-2021-43859
CVE-2022-0538
https://www.jenkins.io/security/advisory/2022-02-09/
|
e358b470-b37d-4e47-bc8a-2cd9adbeb63c | jenkins -- Denial of service vulnerability in bundled Jetty
Jenkins Security Advisory:
Description
(High) JENKINS-65280 / CVE-2021-28165
Denial of service vulnerability in bundled Jetty
Discovery 2021-04-20 Entry 2021-04-20 jenkins
< 2.286
jenkins-lts
< 2.277.3
https://www.jenkins.io/security/advisory/2021-04-20/
CVE-2021-28165
|
631c4710-9be5-4a80-9310-eb2847fe24dd | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
SECURITY-412 through SECURITY-420 / CVE-2017-1000356
CSRF: Multiple vulnerabilities
SECURITY-429 / CVE-2017-1000353
CLI: Unauthenticated remote code execution
SECURITY-466 / CVE-2017-1000354
CLI: Login command allowed impersonating any Jenkins user
SECURITY-503 / CVE-2017-1000355
XStream: Java crash when trying to instantiate void/Void
Discovery 2017-04-26 Entry 2017-04-27 jenkins
< 2.57
jenkins-lts
< 2.46.2
CVE-2017-1000356
CVE-2017-1000353
CVE-2017-1000354
CVE-2017-1000355
https://jenkins.io/security/advisory/2017-04-26/
|
df3db21d-1a4d-4c78-acf7-4639e5a795e0 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-1424 / CVE-2019-10352
Arbitrary file write vulnerability using file parameter definitions
(High) SECURITY-626 / CVE-2019-10353
CSRF protection tokens did not expire
(Medium) SECURITY-534 / CVE-2019-10354
Unauthorized view fragment access
Discovery 2019-07-17 Entry 2019-07-17 jenkins
< 2.186
jenkins-lts
< 2.176.2
CVE-2019-10352
CVE-2019-10353
CVE-2019-10354
https://jenkins.io/security/advisory/2019-07-17/
|
3aa27226-f86f-11e8-a085-3497f683cb16 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Critical) SECURITY-595
Code execution through crafted URLs
(Medium) SECURITY-904
Forced migration of user records
(Medium) SECURITY-1072
Workspace browser allowed accessing files outside the workspace
(Medium) SECURITY-1193
Potential denial of service through cron expression form validation
Discovery 2018-12-05 Entry 2018-12-05 jenkins
< 2.154
jenkins-lts
< 2.138.3
https://jenkins.io/security/advisory/2018-12-05/
|
20a1881e-8a9e-11e8-bddf-d017c2ca229d | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-897 / CVE-2018-1999001
Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart
(High) SECURITY-914 / CVE-2018-1999002
Arbitrary file read vulnerability
(Medium) SECURITY-891 / CVE-2018-1999003
Unauthorized users could cancel queued builds
(Medium) SECURITY-892 / CVE-2018-1999004
Unauthorized users could initiate and abort agent launches
(Medium) SECURITY-944 / CVE-2018-1999005
Stored XSS vulnerability
(Medium) SECURITY-925 / CVE-2018-1999006
Unauthorized users are able to determine when a plugin was extracted from its JPI package
(Medium) SECURITY-390 / CVE-2018-1999007
XSS vulnerability in Stapler debug mode
Discovery 2018-07-18 Entry 2018-07-18 jenkins
< 2.133
jenkins-lts
< 2.121.2
CVE-2018-1999001
CVE-2018-1999002
CVE-2018-1999003
CVE-2018-1999004
CVE-2018-1999005
CVE-2018-1999006
CVE-2018-1999007
https://jenkins.io/security/advisory/2018-07-18/
|
5bf6ed6d-9002-4f43-ad63-458f59e45384 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-1774 / CVE-2020-2160
CSRF protection for any URL could be bypassed
(Medium) SECURITY-1781 / CVE-2020-2161
Stored XSS vulnerability in label expression validation
(Medium) SECURITY-1793 / CVE-2020-2162
Stored XSS vulnerability in file parameters
(Medium) SECURITY-1796 / CVE-2020-2163
Stored XSS vulnerability in list view column headers
Discovery 2020-03-25 Entry 2020-03-25 jenkins
<= 2.227
jenkins-lts
<= 2.204.5
CVE-2020-2160
CVE-2020-2161
CVE-2020-2162
CVE-2020-2163
https://jenkins.io/security/advisory/2020-03-25/
|
8b03d274-56ca-489e-821a-cf32f07643f0 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Critical) SECURITY-3314 / CVE-2024-23897
Arbitrary file read vulnerability through the CLI can lead to RCE
Description
(High) SECURITY-3315 / CVE-2024-23898
Cross-site WebSocket hijacking vulnerability in the CLI
Discovery 2024-01-24 Entry 2024-01-24 jenkins
< 2.422
jenkins-lts
< 2.426.3
CVE-2024-23897
CVE-2024-23898
https://www.jenkins.io/security/advisory/2024-01-24/
|
a250539d-d1d4-4591-afd3-c8bdfac335d8 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-1682 / CVE-2020-2099
Inbound TCP Agent Protocol/3 authentication bypass
(Medium) SECURITY-1641 / CVE-2020-2100
Jenkins vulnerable to UDP amplification reflection attack
(Medium) SECURITY-1659 / CVE-2020-2101
Non-constant time comparison of inbound TCP agent connection secret
(Medium) SECURITY-1660 / CVE-2020-2102
Non-constant time HMAC comparison
(Medium) SECURITY-1695 / CVE-2020-2103
Diagnostic page exposed session cookies
(Medium) SECURITY-1650 / CVE-2020-2104
Memory usage graphs accessible to anyone with Overall/Read
(Low) SECURITY-1704 / CVE-2020-2105
Jenkins REST APIs vulnerable to clickjacking
(Medium) SECURITY-1680 / CVE-2020-2106
Stored XSS vulnerability in Code Coverage API Plugin
(Medium) SECURITY-1565 / CVE-2020-2107
Fortify Plugin stored credentials in plain text
(High) SECURITY-1719 / CVE-2020-2108
XXE vulnerability in WebSphere Deployer Plugin
Discovery 2020-01-29 Entry 2020-01-29 jenkins
<= 2.219
jenkins-lts
<= 2.204.2
CVE-2020-2099
CVE-2020-2100
CVE-2020-2101
CVE-2020-2102
CVE-2020-2103
CVE-2020-2104
CVE-2020-2105
CVE-2020-2106
CVE-2020-2107
CVE-2020-2108
https://jenkins.io/security/advisory/2020-01-29/
|
b4db7d78-bb62-4f4c-9326-6e9fc2ddd400 | jenkins -- CSRF protection bypass vulnerability
Jenkins Security Advisory:
Description
(High) SECURITY-3135 / CVE-2023-35141
CSRF protection bypass vulnerability
Discovery 2023-06-14 Entry 2023-06-14 jenkins
< 2.400
jenkins-lts
< 2.401.1
CVE-2023-35141
https://www.jenkins.io/security/advisory/2023-06-14/
|
4ebdd56b-fe72-11ee-bc57-00e081b7aa2d | jenkins -- Terrapin SSH vulnerability in Jenkins CLI client
Jenkins Security Advisory:
Description
(Medium) SECURITY-3386 / CVE-2023-48795
Terrapin SSH vulnerability in Jenkins CLI client
Discovery 2024-04-17 Entry 2024-04-19 jenkins
< 2.452
jenkins-lts
< 2.440.3
CVE-2023-48795
https://www.jenkins.io/security/advisory/2024-04-17/
|
06ab7724-0fd7-427e-a5ce-fe436302b10c | jenkins -- multiple vulnerabilities
Jenkins developers report:
The agent to master security subsystem ensures that the Jenkins
master is protected from maliciously configured agents. A path
traversal vulnerability allowed agents to escape whitelisted
directories to read and write to files they should not be able to
access.
Black Duck Hub Plugin's API endpoint was affected by an XML
External Entity (XXE) processing vulnerability. This allowed an
attacker with Overall/Read access to have Jenkins parse a maliciously
crafted file that uses external entities for extraction of secrets
from the Jenkins master, server-side request forgery, or
denial-of-service attacks.
Several other lower severity issues were reported, see reference
url for details.
Discovery 2018-05-09 Entry 2018-05-10 jenkins
<= 2.120
jenkins-lts
<= 2.107.2
https://jenkins.io/security/advisory/2018-05-09/
|
425f2143-8876-4b0a-af84-e0238c5c2062 | jenkins -- Arbitrary file read vulnerability in workspace browsers
Jenkins Security Advisory:
Description
(Medium) SECURITY-2197 / CVE-2021-21615
Arbitrary file read vulnerability in workspace browsers
Discovery 2021-01-26 Entry 2021-01-26 jenkins
< 2.276
jenkins-lts
< 2.263.3
https://www.jenkins.io/security/advisory/2021-01-26/
|
1c2a9d76-9d98-43c3-8f5d-8c059b104d99 | jenkins -- multiple issues
Jenkins developers report:
Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.
Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
Discovery 2017-11-08 Entry 2017-11-09 jenkins
< 2.89
jenkins-lts
< 2.73.3
https://jenkins.io/security/advisory/2017-11-08/
|
debf6353-5753-4e9a-b710-a83ecdd743de | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-868
Administrators could persist access to Jenkins using crafted 'Remember me' cookie
(Medium) SECURITY-901
Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie
Discovery 2019-01-16 Entry 2019-01-16 jenkins
< 2.160
jenkins-lts
< 2.150.2
https://jenkins.io/security/advisory/2019-01-16/
|
aaba17aa-782e-4843-8a79-7756cfa2bf89 | jenkins -- multiple vulnerabilities
Jenkins developers report:
The Jenkins CLI sent different error responses for commands with
view and agent arguments depending on the existence of the specified
views or agents to unauthorized users. This allowed attackers to
determine whether views or agents with specified names exist.
The Jenkins CLI now returns the same error messages to unauthorized
users independent of the existence of specified view or agent
names
Some JavaScript confirmation dialogs included the item name in an
unsafe manner, resulting in a possible cross-site scripting
vulnerability exploitable by users with permission to create or
configure items.
JavaScript confirmation dialogs that include the item name now
properly escape it, so it can be safely displayed.
Discovery 2018-04-11 Entry 2018-04-12 jenkins
<= 2.115
jenkins-lts
<= 2.107.1
https://jenkins.io/security/advisory/2018-04-11/
|
672eeea9-a070-4f88-b0f1-007e90a2cbc3 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-2558 / CVE-2022-20612
CSRF vulnerability in build triggers
Discovery 2022-01-12 Entry 2022-01-12 jenkins
< 2.330
jenkins-lts
< 2.319.2
CVE-2022-20612
https://www.jenkins.io/security/advisory/2022-01-12/
|
eef0d2d9-78c0-441e-8b03-454c5baebe20 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-1955 / CVE-2020-2229
Stored XSS vulnerability in help icons
(High) SECURITY-1957 / CVE-2020-2230
Stored XSS vulnerability in project naming strategy
(High) SECURITY-1960 / CVE-2020-2231
Stored XSS vulnerability in 'Trigger builds remotely'
Discovery 2020-08-12 Entry 2020-08-12 jenkins
< 2.252
jenkins-lts
< 2.235.4
CVE-2020-2229
CVE-2020-2230
CVE-2020-2231
https://www.jenkins.io/security/advisory/2020-08-12/
|
f68bb358-be8e-11ed-9215-00e081b7aa2d | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-3037 / CVE-2023-27898
XSS vulnerability in plugin manager
(Medium) SECURITY-3030 / CVE-2023-24998 (upstream issue), CVE-2023-27900 (MultipartFormDataParser), CVE-2023-27901 (StaplerRequest)
DoS vulnerability in bundled Apache Commons FileUpload library
(Medium) SECURITY-1807 / CVE-2023-27902
Workspace temporary directories accessible through directory browser
(Low) SECURITY-3058 / CVE-2023-27903
Temporary file parameter created with insecure permissions
(Low) SECURITY-2120 / CVE-2023-27904
Information disclosure through error stack traces related to agents
Discovery 2023-03-08 Entry 2023-03-09 jenkins
< 2.394
jenkins-lts
< 2.387.1
CVE-2023-27898
CVE-2023-24998
CVE-2023-27900
CVE-2023-27901
CVE-2023-27902
CVE-2023-27903
CVE-2023-27904
https://www.jenkins.io/security/advisory/2023-03-08/
|
db8fa362-0ccb-4aa8-9220-72b7763e9a4a | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Critical) SECURITY-3430 / CVE-2024-43044
Arbitrary file read vulnerability through agent connections can lead to RCE
Description
(Medium) SECURITY-3349 / CVE-2024-43045
Missing permission check allows accessing other users' "My Views"
Discovery 2024-08-07 Entry 2024-08-07 jenkins
< 2.471
jenkins-lts
< 2.462.1
CVE-2024-43044
CVE-2024-43045
https://www.jenkins.io/security/advisory/2024-08-07/
|
1ee26d45-6ddb-11ee-9898-00e081b7aa2d | jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins Security Advisory:
Description
(High) SECURITY-3291 / CVE-2023-36478, CVE-2023-44487
HTTP/2 denial of service vulnerability in bundled Jetty
Discovery 2023-10-18 Entry 2023-10-18 jenkins
< 2.428
jenkins-lts
< 2.414.3
CVE-2023-36478
CVE-2023-44487
https://www.jenkins.io/security/advisory/2023-10-18/
|
5d374fbb-bae3-45db-afc0-795684ac7353 | jenkins -- Path traversal vulnerability allows access to files outside plugin resources
Jenkins developers report:
Jenkins did not properly prevent specifying relative paths that
escape a base directory for URLs accessing plugin resource files. This
allowed users with Overall/Read permission to download files from the
Jenkins master they should not have access to.
Discovery 2018-02-14 Entry 2018-02-14 jenkins
<= 2.106
jenkins-lts
<= 2.89.3
https://jenkins.io/security/advisory/2018-02-14/
https://jenkins.io/blog/2018/02/14/security-updates/
CVE-2018-6356
|
09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8 | jenkins -- Buffer corruption in bundled Jetty
Jenkins Security Advisory:
Description
(Critical) SECURITY-1983 / CVE-2019-17638
Buffer corruption in bundled Jetty
Discovery 2020-08-17 Entry 2020-08-17 jenkins
< 2.243
jenkins-lts
< 2.235.5
CVE-2019-17638
https://www.jenkins.io/security/advisory/2020-08-17/
|
9720bb39-f82a-402f-9fe4-e2c875bdda83 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-1498 / CVE-2019-10401
Stored XSS vulnerability in expandable textbox form control
(Medium) SECURITY-1525 / CVE-2019-10402
XSS vulnerability in combobox form control
(Medium) SECURITY-1537 (1) / CVE-2019-10403
Stored XSS vulnerability in SCM tag action tooltip
(Medium) SECURITY-1537 (2) / CVE-2019-10404
Stored XSS vulnerability in queue item tooltip
(Medium) SECURITY-1505 / CVE-2019-10405
Diagnostic web page exposed Cookie HTTP header
(Medium) SECURITY-1471 / CVE-2019-10406
XSS vulnerability in Jenkins URL setting
Discovery 2019-09-25 Entry 2019-09-25 jenkins
<= 2.196
jenkins-lts
<= 2.176.3
CVE-2019-10401
CVE-2019-10402
CVE-2019-10403
CVE-2019-10404
CVE-2019-10405
CVE-2019-10406
https://jenkins.io/security/advisory/2019-09-25/
|
5cfa9d0c-73d7-4642-af4f-28fbed9e9404 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Please reference CVE/URL list for details
Discovery 2017-02-01 Entry 2017-02-01 jenkins
< 2.44
jenkins-lts
< 2.32.2
CVE-2017-2598
CVE-2017-2599
CVE-2017-2600
CVE-2011-4969
CVE-2017-2601
CVE-2015-0886
CVE-2017-2602
CVE-2017-2603
CVE-2017-2604
CVE-2017-2605
CVE-2017-2606
CVE-2017-2607
CVE-2017-2608
CVE-2017-2609
CVE-2017-2610
CVE-2017-2611
CVE-2017-2612
CVE-2017-2613
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01
|
9595d002-edeb-4602-be2d-791cd654247e | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Low) SECURITY-1721 / CVE-2021-21639
Lack of type validation in agent related REST API
(Medium) SECURITY-1871 / CVE-2021-21640
View name validation bypass
Discovery 2021-04-07 Entry 2021-04-08 jenkins
< 2.287
jenkins-lts
< 2.277.2
https://www.jenkins.io/security/advisory/2021-04-07/
|
6dc3c61c-e866-4c27-93f7-ae50908594fd | jenkins -- multiple issues
jenkins developers report:
A total of 11 issues are reported, please see reference URL for details.
Discovery 2017-10-11 Entry 2017-10-13 jenkins
<= 2.83
jenkins-lts
<= 2.73.1
https://jenkins.io/security/advisory/2017-10-11/
|
1ddab5cb-14c9-4632-959f-802c412a9593 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-1868 / CVE-2020-2220
Stored XSS vulnerability in job build time trend
(High) SECURITY-1901 / CVE-2020-2221
Stored XSS vulnerability in upstream cause
(High) SECURITY-1902 / CVE-2020-2222
Stored XSS vulnerability in 'keep forever' badge icons
(High) SECURITY-1945 / CVE-2020-2223
Stored XSS vulnerability in console links
Discovery 2020-07-15 Entry 2020-07-15 jenkins
< 2.245
jenkins-lts
< 2.235.2
CVE-2020-2220
CVE-2020-2221
CVE-2020-2222
CVE-2020-2223
https://www.jenkins.io/security/advisory/2020-07-15/
|
402fccd0-5b6d-11ee-9898-00e081b7aa2d | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-3261 / CVE-2023-43494
Builds can be filtered by values of sensitive build variables
(High) SECURITY-3245 / CVE-2023-43495
Stored XSS vulnerability
(High) SECURITY-3072 / CVE-2023-43496
Temporary plugin file created with insecure permissions
(Low) SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)
Temporary uploaded file created with insecure permissions
Discovery 2023-09-20 Entry 2023-09-25 jenkins
< 2.424
jenkins-lts
< 2.414.2
CVE-2023-43494
CVE-2023-43495
CVE-2023-43496
CVE-2023-43497
https://www.jenkins.io/security/advisory/2023-09-20/
|
7136e6b7-e1b3-11e7-a4d3-000c292ee6b8 | jenkins -- Two startup race conditions
The Jenkins project reports:
A race condition during Jenkins startup could result in the wrong
order of execution of commands during initialization.
On Jenkins 2.81 and newer, including LTS 2.89.1, this could in
rare cases (we estimate less than 20% of new instances) result in
failure to initialize the setup wizard on the first startup.
There is a very short window of time after startup during which
Jenkins may no longer show the "Please wait while Jenkins is
getting ready to work" message, but Cross-Site Request Forgery
(CSRF) protection may not yet be effective.
Discovery 2017-12-14 Entry 2017-12-15 jenkins
< 2.95
jenkins-lts
< 2.89.2
https://jenkins.io/security/advisory/2017-12-14/
|
7a7891fc-6318-447a-ba45-31d525ec11a0 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-1453 / CVE-2019-10383
Stored XSS vulnerability in update center
(High) SECURITY-1491 / CVE-2019-10384
CSRF protection tokens for anonymous users did not expire in some circumstances
Discovery 2019-08-28 Entry 2019-08-28 jenkins
<= 2.191
jenkins-lts
<= 2.176.2
CVE-2019-10383
CVE-2019-10384
https://jenkins.io/security/advisory/2019-08-28/
|
9bad457e-b396-4452-8773-15bec67e1ceb | jenkins -- Jenkins core bundles vulnerable version of the commons-httpclient library
Jenkins Security Advisory:
Description
(Medium) SECURITY-2475 / CVE-2014-3577
Jenkins core bundles vulnerable version of the commons-httpclient library
Discovery 2021-10-06 Entry 2021-10-07 jenkins
< 2.315
jenkins-lts
< 2.303.2
CVE-2014-3577
https://www.jenkins.io/security/advisory/2021-10-06/
|
2e3bea0c-f110-11ee-bc57-00e081b7aa2d | jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins Security Advisory:
Description
(High) SECURITY-3379 / CVE-2024-22201
HTTP/2 denial of service vulnerability in bundled Jetty
Discovery 2024-03-20 Entry 2024-04-02 jenkins
< 2.444
jenkins-lts
< 2.440.2
CVE-2024-22201
https://www.jenkins.io/security/advisory/2024-03-20/
|
a0321b74-031d-485c-bb76-edd75256a6f0 | jenkins -- Stored XSS vulnerability
Jenkins Security Advisory:
Description
(High) SECURITY-3188 / CVE-2023-39151
Stored XSS vulnerability
Discovery 2023-07-26 Entry 2023-07-26 jenkins
< 2.416
jenkins-lts
< 2.401.3
CVE-2023-39151
https://www.jenkins.io/security/advisory/2023-07-26/
|
25be46f0-f25d-11ec-b62a-00e081b7aa2d | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(High) SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)
Multiple XSS vulnerabilities
(Medium) SECURITY-2566 / CVE-2022-34174
Observable timing discrepancy allows determining username validity
(Medium) Unauthorized view fragment access
SECURITY-2777 / CVE-2022-34175
Discovery 2022-06-22 Entry 2022-06-22 jenkins
< 2.356
jenkins-lts
< 2.346.1
CVE-2022-34170
CVE-2022-34171
CVE-2022-34172
CVE-2022-34173
CVE-2022-34174
CVE-2022-34175
https://www.jenkins.io/security/advisory/2022-06-22/
|
3350275d-cd5a-11e8-a7be-3497f683cb16 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Low) SECURITY-867
Path traversal vulnerability in Stapler allowed accessing internal data
(Medium) SECURITY-1074
Arbitrary file write vulnerability using file parameter definitions
(Medium) SECURITY-1129
Reflected XSS vulnerability
(Medium) SECURITY-1162
Ephemeral user record was created on some invalid authentication attempts
(Medium) SECURITY-1128
Ephemeral user record creation
(Medium) SECURITY-1158
Session fixation vulnerability on user signup
(Medium) SECURITY-765
Failures to process form submission data could result in secrets being displayed or written to logs
Discovery 2018-10-10 Entry 2018-10-11 jenkins
< 2.146
jenkins-lts
< 2.138.2
https://jenkins.io/security/advisory/2018-10-10/
|
8e9c3f5a-715b-4336-8d05-19babef55e9e | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-1289
Jenkins accepted cached legacy CLI authentication
(Medium) SECURITY-1327
XSS vulnerability in form validation button
Discovery 2019-04-10 Entry 2019-04-10 jenkins
< 2.172
jenkins-lts
< 2.164.2
https://jenkins.io/security/advisory/2019-04-10/
|
9d271bab-da22-11eb-86f0-94c691a700a6 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Medium) SECURITY-2278 / CVE-2021-21670
Improper permission checks allow canceling queue items and aborting builds
(High) SECURITY-2371 / CVE-2021-21671
Session fixation vulnerability
Discovery 2021-06-30 Entry 2021-07-01 jenkins
< 2.300
jenkins-lts
< 2.289.2
CVE-2021-21670
CVE-2021-21671
https://www.jenkins.io/security/advisory/2021-06-30/
|
6905f05f-a0c9-11e8-8335-8c164535ad80 | jenkins -- multiple vulnerabilities
Jenkins Security Advisory:
Description
(Low) SECURITY-637
Jenkins allowed deserialization of URL objects with host components
(Medium) SECURITY-672
Ephemeral user record was created on some invalid authentication attempts
(Medium) SECURITY-790
Cron expression form validation could enter infinite loop, potentially resulting in denial of service
(Low) SECURITY-996
"Remember me" cookie was evaluated even if that feature is disabled
(Medium) SECURITY-1071
Unauthorized users could access agent logs
(Low) SECURITY-1076
Unauthorized users could cancel scheduled restarts initiated from the update center
Discovery 2018-08-15 Entry 2018-08-15 jenkins
< 2.138
jenkins-lts
< 2.121.3
https://jenkins.io/security/advisory/2018-08-15/
|