CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1999043
https://notcve.org/view.php?id=CVE-2018-1999043
23 Aug 2018 — A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials. Existe una vulnerabilidad de denegación de servicio (DoS) en Jenkins en versiones 2.137 y anteriores y 2.121.2 y anteriores en BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java que permite que los atacantes creen... • https://jenkins.io/security/advisory/2018-08-15/#SECURITY-672 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1999046
https://notcve.org/view.php?id=CVE-2018-1999046
23 Aug 2018 — A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. Existe una vulnerabilidad de exposición de información sensible en Jenkins en versiones 2.137 y anteriores y 2.121.2 y anteriores en Computer.java que permite que los atacantes con permiso Overall/Read accedan al registro de conexiones para cualquier agente. • https://jenkins.io/security/advisory/2018-08-15/#SECURITY-1071 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1999044
https://notcve.org/view.php?id=CVE-2018-1999044
23 Aug 2018 — A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. Existe una vulnerabilidad de denegación de servicio (DoS) en Jenkins en versiones 2.137 y anteriores y 2.121.2 y anteriores en CronTab.java que permite que los atacantes con permiso Overall/Read hagan que un hilo de gestión de peticiones se meta en un bucle infinito. • https://jenkins.io/security/advisory/2018-08-15/#SECURITY-790 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1999006
https://notcve.org/view.php?id=CVE-2018-1999006
23 Jul 2018 — A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. Existe una vulnerabilidad de exposición de información sensible en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en Plugin.java que permite que los atacantes determinen la fecha y hora cuando un archivo de plugin HPI/... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-925 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999007
https://notcve.org/view.php?id=CVE-2018-1999007
23 Jul 2018 — A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999004
https://notcve.org/view.php?id=CVE-2018-1999004
23 Jul 2018 — A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. Existe una vulnerabilidad de autorización incorrecta en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en SlaveComputer.java que permite que los atacantes con el permiso Overall/Read inicien el arranque de los agentes y aborten el arranque en proceso de los agentes. • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-892 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999003
https://notcve.org/view.php?id=CVE-2018-1999003
23 Jul 2018 — A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. Existe una vulnerabilidad de autorización incorrecta en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en Queue.java que permite que los atacantes con el permiso Overall/Read cancelen las builds en cola. • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-891 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999001
https://notcve.org/view.php?id=CVE-2018-1999001
23 Jul 2018 — A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. Existe una vulnerabilidad de modificación no autorizada de configuración en Jenkins en versiones 2.132 y... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897 •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 5CVE-2018-1999002 – Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-1999002
23 Jul 2018 — A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. Existe una lectura de archivos arbitrarios en Jenkins en versiones 2.132 y anteriores y en versiones 2.121.1 y anteriores en el org/kohsuke/stapler/Stapler.java del framework web Staple. Este per... • https://packetstorm.news/files/id/151823 •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999005
https://notcve.org/view.php?id=CVE-2018-1999005
23 Jul 2018 — A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. Existe una vulnerabilidad de Cross-Site Scripting (XSS), en Jenkins 2.132 y anteriores y 2.121.1 y anteriores, en BuildTimelineWidget.java y BuildTimelineWidget/control.jelly, que permit... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •