CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2604
https://notcve.org/view.php?id=CVE-2017-2604
15 May 2018 — In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). En Jenkins en versiones anteriores a la 2.44 y 2.32.2, los usuarios de privilegios bajos podían realizar acciones en los monitores administrativos debido a que no estaban protegidos de forma consistente por controles de permisos (SECURITY-371). • http://www.securityfocus.com/bid/95959 • CWE-287: Improper Authentication CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2602
https://notcve.org/view.php?id=CVE-2017-2602
15 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una lista negra incorrecta de los archivos de metadatos de Pipeline en el subsistema de seguridad de agente-maestro. Esto podría permitir que los archivos de metadatos sean escritos por agentes maliciosos (S... • http://www.securityfocus.com/bid/95952 • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2600
https://notcve.org/view.php?id=CVE-2017-2600
15 May 2018 — In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). En Jenkins en versiones anteriores a la 2.44 y 2.32.2, los usuarios con privilegios bajos podrían visualizar los datos del monitor de nodos mediante la API remota. Estos datos incluyen la configuración del sistema y la información de arranque de estos nodos (SECURITY-343). • http://www.securityfocus.com/bid/95954 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-325: Missing Cryptographic Step •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2612
https://notcve.org/view.php?id=CVE-2017-2612
15 May 2018 — In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. En Jenkins en versiones anteriores a la 2.44 y 2.32.2, usuarios con pocos privilegios fueron capaces de omitir las credenciales de descarga JDK (SECURITY-392), lo que resulta en que las próximas builds no puedan descargar un JDK. • http://www.securityfocus.com/bid/95957 • CWE-358: Improperly Implemented Security Check for Standard CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2608
https://notcve.org/view.php?id=CVE-2017-2608
15 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una vulnerabilidad de ejecución remota de código que implica la deserialización de varios tipos en javax.imageio en API basadas en XStream (SECURITY-383). • http://www.securityfocus.com/bid/95953 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2601
https://notcve.org/view.php?id=CVE-2017-2601
10 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. Jenkins en versiones anteriores a la 2.44, 2.32.2 es vulnerable a Cross-Site Scripting (XSS) persistente en nombres y descripciones de parámetros (SECURITY-353). Los usuarios con el permiso para configurar jobs pudieron inyectar JavaScript en nombres y descri... • http://www.openwall.com/lists/oss-security/2022/04/12/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2606
https://notcve.org/view.php?id=CVE-2017-2606
08 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. Jenkins en versiones anteriores a la 2.44, 2.32.2 es vulnerable a una exposición de información en la API interna que permite el acceso a los nombres de los elementos que no deberían ser visibles (... • http://www.securityfocus.com/bid/95962 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-2611
https://notcve.org/view.php?id=CVE-2017-2611
08 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents. Jenkins en versiones anteriores a la 2.44, 2.32.2 es vulnerable a una exposición de información en la API interna que ... • http://www.securityfocus.com/bid/95956 • CWE-358: Improperly Implemented Security Check for Standard CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000169
https://notcve.org/view.php?id=CVE-2018-1000169
13 Apr 2018 — An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins. Existe una vulnerabilidad de exposición de información sensible en Jenkins 2.115 y anteriores y LTS 2.107.1 y anteriores, en CLICommand.java y ViewOptionHandler.java, que permite que atacantes no autorizados c... • https://access.redhat.com/errata/RHBA-2018:1816 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000170
https://notcve.org/view.php?id=CVE-2018-1000170
13 Apr 2018 — A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en Jenkins 2.115 y anteriores y LTS 2.107.1 y anteriores, en confirmationList.jelly y stopButton.jelly,... • https://jenkins.io/security/advisory/2018-04-11/#SECURITY-759 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •