CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2598
https://notcve.org/view.php?id=CVE-2017-2598
23 May 2018 — Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). Jenkins en versiones anteriores a la 2.44 y la 2.32.2 emplea el modo de cifrado en bloque AES ECB sin IV para cifrar secretos, lo que hace que Jenkins y los secretos almacenados sean vulnerables a riesgos innecesarios (SECURITY-304). • http://www.securityfocus.com/bid/95948 • CWE-325: Missing Cryptographic Step CWE-326: Inadequate Encryption Strength •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2609
https://notcve.org/view.php?id=CVE-2017-2609
22 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una divulgación de información en las sugerencias de búsqueda (SECURITY-385). La característica de autocompletado en la caja de búsqueda revela lo... • http://www.securityfocus.com/bid/95964 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2607
https://notcve.org/view.php?id=CVE-2017-2607
21 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. Jenkins en... • http://www.securityfocus.com/bid/95963 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2613
https://notcve.org/view.php?id=CVE-2017-2613
15 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a Cross-Site Request Forgery (CSRF) de creación de usuarios mediante el uso de GET por parte de los administradores. Aunque este registro de usuarios solo se retiene hasta el... • http://www.securityfocus.com/bid/95967 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2603
https://notcve.org/view.php?id=CVE-2017-2603
15 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una fuga de datos de usuario en la API config.xml de los agentes desconectados. Esto podría filtrar datos sensibles como tokens de API (SECURITY-362). • http://www.securityfocus.com/bid/95955 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-325: Missing Cryptographic Step •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2604
https://notcve.org/view.php?id=CVE-2017-2604
15 May 2018 — In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). En Jenkins en versiones anteriores a la 2.44 y 2.32.2, los usuarios de privilegios bajos podían realizar acciones en los monitores administrativos debido a que no estaban protegidos de forma consistente por controles de permisos (SECURITY-371). • http://www.securityfocus.com/bid/95959 • CWE-287: Improper Authentication CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2610
https://notcve.org/view.php?id=CVE-2017-2610
15 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a Cross-Site Scripting (XSS) persistente en las sugerencias de búsqueda debido al escapado incorrecto de usuarios con los caracteres "menor que" y "mayor que" en sus nombres (SECURITY-388). • http://www.securityfocus.com/bid/95951 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2602
https://notcve.org/view.php?id=CVE-2017-2602
15 May 2018 — jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una lista negra incorrecta de los archivos de metadatos de Pipeline en el subsistema de seguridad de agente-maestro. Esto podría permitir que los archivos de metadatos sean escritos por agentes maliciosos (S... • http://www.securityfocus.com/bid/95952 • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2600
https://notcve.org/view.php?id=CVE-2017-2600
15 May 2018 — In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). En Jenkins en versiones anteriores a la 2.44 y 2.32.2, los usuarios con privilegios bajos podrían visualizar los datos del monitor de nodos mediante la API remota. Estos datos incluyen la configuración del sistema y la información de arranque de estos nodos (SECURITY-343). • http://www.securityfocus.com/bid/95954 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-325: Missing Cryptographic Step •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2608
https://notcve.org/view.php?id=CVE-2017-2608
15 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una vulnerabilidad de ejecución remota de código que implica la deserialización de varios tipos en javax.imageio en API basadas en XStream (SECURITY-383). • http://www.securityfocus.com/bid/95953 • CWE-502: Deserialization of Untrusted Data •