CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999003
https://notcve.org/view.php?id=CVE-2018-1999003
23 Jul 2018 — A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. Existe una vulnerabilidad de autorización incorrecta en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en Queue.java que permite que los atacantes con el permiso Overall/Read cancelen las builds en cola. • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-891 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999001
https://notcve.org/view.php?id=CVE-2018-1999001
23 Jul 2018 — A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. Existe una vulnerabilidad de modificación no autorizada de configuración en Jenkins en versiones 2.132 y... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897 •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 5CVE-2018-1999002 – Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-1999002
23 Jul 2018 — A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. Existe una lectura de archivos arbitrarios en Jenkins en versiones 2.132 y anteriores y en versiones 2.121.1 y anteriores en el org/kohsuke/stapler/Stapler.java del framework web Staple. Este per... • https://packetstorm.news/files/id/151823 •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999005
https://notcve.org/view.php?id=CVE-2018-1999005
23 Jul 2018 — A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. Existe una vulnerabilidad de Cross-Site Scripting (XSS), en Jenkins 2.132 y anteriores y 2.121.1 y anteriores, en BuildTimelineWidget.java y BuildTimelineWidget/control.jelly, que permit... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000194
https://notcve.org/view.php?id=CVE-2018-1000194
05 Jun 2018 — A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. Existe una vulnerabilidad de salto de directorio en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en FilePath.java y SoloFilePathFilter.java que permite a los agentes maliciosos leer y escribir archivos arbi... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-788 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000195
https://notcve.org/view.php?id=CVE-2018-1000195
05 Jun 2018 — A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. Existe una vulnerabilidad Server-Side Request Forgery en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en ZipExtractionInstaller.java que permite a los usuarios con permiso Overall/Rea... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-794 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000193
https://notcve.org/view.php?id=CVE-2018-1000193
05 Jun 2018 — A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. Existe una vulnerabilidad de neutralización inadecuada de las secuencias de control en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en HudsonPrivateSecurityRealm... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000192
https://notcve.org/view.php?id=CVE-2018-1000192
05 Jun 2018 — A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. Existe una vulnerabilidad de exposición de información en Jenkins 2.120 y versiones anteriores, LTS 2.107.2 y versiones anteriores en AboutJenkins.java y ListPluginsCommand.java que permite a los usuarios con acceso Overall/Read enumerar todos los plugins instalados. • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-771 •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2598
https://notcve.org/view.php?id=CVE-2017-2598
23 May 2018 — Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). Jenkins en versiones anteriores a la 2.44 y la 2.32.2 emplea el modo de cifrado en bloque AES ECB sin IV para cifrar secretos, lo que hace que Jenkins y los secretos almacenados sean vulnerables a riesgos innecesarios (SECURITY-304). • http://www.securityfocus.com/bid/95948 • CWE-325: Missing Cryptographic Step CWE-326: Inadequate Encryption Strength •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2609
https://notcve.org/view.php?id=CVE-2017-2609
22 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una divulgación de información en las sugerencias de búsqueda (SECURITY-385). La característica de autocompletado en la caja de búsqueda revela lo... • http://www.securityfocus.com/bid/95964 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •