CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000194
https://notcve.org/view.php?id=CVE-2018-1000194
05 Jun 2018 — A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. Existe una vulnerabilidad de salto de directorio en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en FilePath.java y SoloFilePathFilter.java que permite a los agentes maliciosos leer y escribir archivos arbi... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-788 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000195
https://notcve.org/view.php?id=CVE-2018-1000195
05 Jun 2018 — A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. Existe una vulnerabilidad Server-Side Request Forgery en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en ZipExtractionInstaller.java que permite a los usuarios con permiso Overall/Rea... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-794 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000193
https://notcve.org/view.php?id=CVE-2018-1000193
05 Jun 2018 — A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. Existe una vulnerabilidad de neutralización inadecuada de las secuencias de control en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en HudsonPrivateSecurityRealm... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000192
https://notcve.org/view.php?id=CVE-2018-1000192
05 Jun 2018 — A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. Existe una vulnerabilidad de exposición de información en Jenkins 2.120 y versiones anteriores, LTS 2.107.2 y versiones anteriores en AboutJenkins.java y ListPluginsCommand.java que permite a los usuarios con acceso Overall/Read enumerar todos los plugins instalados. • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-771 •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2598
https://notcve.org/view.php?id=CVE-2017-2598
23 May 2018 — Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). Jenkins en versiones anteriores a la 2.44 y la 2.32.2 emplea el modo de cifrado en bloque AES ECB sin IV para cifrar secretos, lo que hace que Jenkins y los secretos almacenados sean vulnerables a riesgos innecesarios (SECURITY-304). • http://www.securityfocus.com/bid/95948 • CWE-325: Missing Cryptographic Step CWE-326: Inadequate Encryption Strength •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2609
https://notcve.org/view.php?id=CVE-2017-2609
22 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una divulgación de información en las sugerencias de búsqueda (SECURITY-385). La característica de autocompletado en la caja de búsqueda revela lo... • http://www.securityfocus.com/bid/95964 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2607
https://notcve.org/view.php?id=CVE-2017-2607
21 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. Jenkins en... • http://www.securityfocus.com/bid/95963 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2613
https://notcve.org/view.php?id=CVE-2017-2613
15 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a Cross-Site Request Forgery (CSRF) de creación de usuarios mediante el uso de GET por parte de los administradores. Aunque este registro de usuarios solo se retiene hasta el... • http://www.securityfocus.com/bid/95967 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2603
https://notcve.org/view.php?id=CVE-2017-2603
15 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una fuga de datos de usuario en la API config.xml de los agentes desconectados. Esto podría filtrar datos sensibles como tokens de API (SECURITY-362). • http://www.securityfocus.com/bid/95955 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-325: Missing Cryptographic Step •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2610
https://notcve.org/view.php?id=CVE-2017-2610
15 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a Cross-Site Scripting (XSS) persistente en las sugerencias de búsqueda debido al escapado incorrecto de usuarios con los caracteres "menor que" y "mayor que" en sus nombres (SECURITY-388). • http://www.securityfocus.com/bid/95951 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •