CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000407
https://notcve.org/view.php?id=CVE-2018-1000407
09 Jan 2019 — A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. Una vulnerabilidad de Cross-Site Scripting (XSS) existe en Jenkins 2.145 y anteriores, con la versión de firmware LTS 2.138.1, en core/src/main/java/hudson/model/Api.java que permite a los atacantes especificar URL en Jenkins que resulten en la rend... • http://www.securityfocus.com/bid/106532 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000406
https://notcve.org/view.php?id=CVE-2018-1000406
09 Jan 2019 — A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. Una vulnerabilidad de salto de directorio existe en Jenkins, en sus versiones 2.145 y anteriores LTS 2.138.1 y anteriores, en core/src/main/java/huds... • http://www.securityfocus.com/bid/106532 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000410
https://notcve.org/view.php?id=CVE-2018-1000410
09 Jan 2019 — An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. Una vulnerabilidad de exposición de información existe en Jenki... • http://www.securityfocus.com/bid/106532 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000408
https://notcve.org/view.php?id=CVE-2018-1000408
09 Jan 2019 — A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory. Una vulnerabilidad de denegación de servicio (DoS) existe en Jenkins, en sus versiones 2.145 y anteriores, en core/src/main/java/hu... • http://www.securityfocus.com/bid/106532 •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000409
https://notcve.org/view.php?id=CVE-2018-1000409
09 Jan 2019 — A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account. Una vulnerabilidad de fijación de sesión existe en Jenkins, en sus versiones 2.145 y anteriores con la versión de firmware LTS 2.138.1 y anteriores, en core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.jav... • http://www.securityfocus.com/bid/106532 • CWE-384: Session Fixation •
CVSS: 10.0EPSS: 96%CPEs: 3EXPL: 3CVE-2018-1000861 – Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2018-1000861
10 Dec 2018 — A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. Existe una vulnerabilidad de ejecución de código en el framework web de Stapler empleando por Jenkins en versiones 2.153 y anteriores, y LTS 2.138.3 y anteriores en stapler/core/src/main/... • https://packetstorm.news/files/id/166778 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000862
https://notcve.org/view.php?id=CVE-2018-1000862
10 Dec 2018 — An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. Existe una vulnerabilidad de exposición de información en Jenkins en versiones 2.153 y anteriores, y LTS 2.138.3 y anteriores en DirectoryBrowserSupport.java que permite que los atacantes con habilidad par... • http://www.securityfocus.com/bid/106176 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 1CVE-2018-1000863
https://notcve.org/view.php?id=CVE-2018-1000863
10 Dec 2018 — A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. Existe una vulnerabilidad de modificación de datos en Jenkins en versiones 2.153 y anteriores, y LTS 2.138.3 y anteriores en User.java e IdStrategy.java que permite que los atacantes envíen nombres de usuar... • http://www.securityfocus.com/bid/106176 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000864
https://notcve.org/view.php?id=CVE-2018-1000864
10 Dec 2018 — A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. Existe una vulnerabilidad de denegación de servicio (DoS) en Jenkins 2.153 y anteriores y 2.138.3 y anteriores en CronTab.java que permite que los atacantes con el permiso Overall/Read hagan que un hilo de manejo de peticiones entre en bucle infinito. • http://www.securityfocus.com/bid/106176 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1999045
https://notcve.org/view.php?id=CVE-2018-1999045
23 Aug 2018 — A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. Existe una vulnerabilidad de autenticación incorrecta en Jenkins en versiones 2.137 y anteriores y 2.121.2 y anteriores en SecurityRealm.java y TokenBasedRememberMeServices2.java que permite que los atacantes con una cookie válida mantengan su sesión abierta in... • https://jenkins.io/security/advisory/2018-08-15/#SECURITY-996 • CWE-287: Improper Authentication •