CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2599
https://notcve.org/view.php?id=CVE-2017-2599
11 Apr 2018 — Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). Jenkins, en versiones anteriores a la 2.44 y 2.32.2, es vulnerable a una comprobación de permisos insuficiente. Esto permite que usuarios con permisos para crear nuevos items (por ejemplo, jobs) para sobrescribir items existentes a los que no tienen acceso (SECURITY-321). • http://www.securityfocus.com/bid/95949 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 8%CPEs: 3EXPL: 0CVE-2018-6356
https://notcve.org/view.php?id=CVE-2018-6356
20 Feb 2018 — Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. J... • http://www.openwall.com/lists/oss-security/2018/02/14/1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000067
https://notcve.org/view.php?id=CVE-2018-1000067
16 Feb 2018 — An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. Existe una sobrelectura de búfer basado en memoria dinámica (heap) en la función Exiv2::Image::byteSwap4 de image.cpp en la versión 0.26 de Exiv2. Los atacantes remotos pueden explotar esta vulnerabilidad para revelar datos de la memoria o provocar una denegación de servicio (DoS) med... • https://jenkins.io/security/advisory/2018-02-14/#SECURITY-506 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000068
https://notcve.org/view.php?id=CVE-2018-1000068
16 Feb 2018 — An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. En el servicio KeyStore, hay una omisión de permisos que permite el acceso a recursos protegidos. Esto podría llevar a un escalado de privilegios local sin necesitar privilegios de ejecución del siste... • http://www.securityfocus.com/bid/103101 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000355
https://notcve.org/view.php?id=CVE-2017-1000355
29 Jan 2018 — Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. Jenkins, en versiones 2.56 y anteriores y 2.46.1 LTS y anteriores, es vulnerable al cierre inesperado de Java XStream: al intentar crear una instancia void/Void. • http://www.securityfocus.com/bid/98066 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000354
https://notcve.org/view.php?id=CVE-2017-1000354
29 Jan 2018 — Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins use... • http://www.securityfocus.com/bid/98065 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-1000356
https://notcve.org/view.php?id=CVE-2017-1000356
29 Jan 2018 — Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. Jenkins, en versiones 2.56 y anteriores y 2.46.1 LTS y anteriores, es vulnerable a un problema en el realm de autenticación de la base de datos de usuarios de Jenkin... • http://www.securityfocus.com/bid/98062 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000398
https://notcve.org/view.php?id=CVE-2017-1000398
26 Jan 2018 — The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks. La API remota en Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /computer/(agent-name)/api mostraba información sobre ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000396
https://notcve.org/view.php?id=CVE-2017-1000396
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. Jenkins 2.73.1 y anteriores y 2.83 y anteriores incluía una versión de la ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000394
https://notcve.org/view.php?id=CVE-2017-1000394
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins. Jenkins 2.73.1 y anteriores y 2.83 y anteriores incluía una versión de la biblioteca commons-fileupload con la vulnerabilidad de denegación de servicio (DoS) conocida como CVE-2016-3092. La solución para esa vulnerabilidad se ha trasladado a la ve... • https://jenkins.io/security/advisory/2017-10-11 • CWE-20: Improper Input Validation •