CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10353 – jenkins: CSRF protection tokens did not expire (SECURITY-626)
https://notcve.org/view.php?id=CVE-2019-10353
17 Jul 2019 — CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection. Unos tokens de tipo CSRF en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, no expiraron, de este modo permitieron a atacantes capaces de lograrlo omitir la protección de tipo CSRF. A flaw was found in Jenkins in weekly versions prior to 2.186 and LTS versions prior to 2.176.2. By default, CSRF tokens in Jenkins only checked use... • http://www.openwall.com/lists/oss-security/2019/07/17/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10354 – jenkins: Unauthorized view fragment access (SECURITY-534)
https://notcve.org/view.php?id=CVE-2019-10354
17 Jul 2019 — A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. Una vulnerabilidad en el framework web Stapler usado en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, ha permitido a los atacantes acceder directamente a los fragmentos de visualización, omitiendo las comprobaciones de permisos y posiblemente obtener infor... • http://www.openwall.com/lists/oss-security/2019/07/17/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 35%CPEs: 2EXPL: 1CVE-2019-10352 – jenkins: Arbitrary file write vulnerability using file parameter definitions (SECURITY-1424)
https://notcve.org/view.php?id=CVE-2019-10352
17 Jul 2019 — A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. Una vulnerabilidad de salto de ruta (path) en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, en el archivo core/src/main/java/hudson/... • http://www.openwall.com/lists/oss-security/2019/07/17/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2019-1003050
https://notcve.org/view.php?id=CVE-2019-1003050
10 Apr 2019 — The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. El control de formulario f: validateButton para la interfaz de usuario de Jenkins no escapa apropiadamente de las URL de tareas en Jenkins versión 2.171 y anteriores y Jenkins LTS versión 2.164.1 y anteriores, resultando en una vulnerabilidad d... • http://www.securityfocus.com/bid/107889 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-1003049
https://notcve.org/view.php?id=CVE-2019-1003049
10 Apr 2019 — Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. Los usuarios que almacenaron su autenticación CLI antes de que Jenkins se actualizara a la versión 2.150.2 o posteriores, o a la versión 2.160 o posteriores, permanecerían autenticados en... • http://www.securityfocus.com/bid/107901 • CWE-613: Insufficient Session Expiration •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000997
https://notcve.org/view.php?id=CVE-2018-1000997
23 Jan 2019 — A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenki... • https://jenkins.io/security/advisory/2018-10-10/#SECURITY-867 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2019-1003003
https://notcve.org/view.php?id=CVE-2019-1003003
22 Jan 2019 — An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts. Existe una vulnerabilidad de autorización incorrecta en Jenkins, en la versión 2.158 y anteriores y con el firmware LTS 2.150.1 y anteriores, en ore/src/... • http://www.securityfocus.com/bid/106680 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2019-1003004
https://notcve.org/view.php?id=CVE-2019-1003004
22 Jan 2019 — An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time. Existe una vulnerabilidad de autorización incorrecta en Jenkins, en la versión 2.158 y anteriores con firmware LTS 2.150.1 y anteriores, en core/src/main/java/hudson/security/Authentica... • http://www.securityfocus.com/bid/106680 •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000407
https://notcve.org/view.php?id=CVE-2018-1000407
09 Jan 2019 — A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. Una vulnerabilidad de Cross-Site Scripting (XSS) existe en Jenkins 2.145 y anteriores, con la versión de firmware LTS 2.138.1, en core/src/main/java/hudson/model/Api.java que permite a los atacantes especificar URL en Jenkins que resulten en la rend... • http://www.securityfocus.com/bid/106532 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000410
https://notcve.org/view.php?id=CVE-2018-1000410
09 Jan 2019 — An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. Una vulnerabilidad de exposición de información existe en Jenki... • http://www.securityfocus.com/bid/106532 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •