CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-1000356
https://notcve.org/view.php?id=CVE-2017-1000356
29 Jan 2018 — Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. Jenkins, en versiones 2.56 y anteriores y 2.46.1 LTS y anteriores, es vulnerable a un problema en el realm de autenticación de la base de datos de usuarios de Jenkin... • http://www.securityfocus.com/bid/98062 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000398
https://notcve.org/view.php?id=CVE-2017-1000398
26 Jan 2018 — The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks. La API remota en Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /computer/(agent-name)/api mostraba información sobre ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000396
https://notcve.org/view.php?id=CVE-2017-1000396
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. Jenkins 2.73.1 y anteriores y 2.83 y anteriores incluía una versión de la ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000394
https://notcve.org/view.php?id=CVE-2017-1000394
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins. Jenkins 2.73.1 y anteriores y 2.83 y anteriores incluía una versión de la biblioteca commons-fileupload con la vulnerabilidad de denegación de servicio (DoS) conocida como CVE-2016-3092. La solución para esa vulnerabilidad se ha trasladado a la ve... • https://jenkins.io/security/advisory/2017-10-11 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000400
https://notcve.org/view.php?id=CVE-2017-1000400
26 Jan 2018 — The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to. La API remota de Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /job/(job-name)/api contenía información sobre los ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000395
https://notcve.org/view.php?id=CVE-2017-1000395
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator. Jenkins 2.73.1 y anteriores y 2.83 y anteriores proporciona información so... • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000393
https://notcve.org/view.php?id=CVE-2017-1000393
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators. Los usuarios de Jenkins 2.73.1 y anteriores y 2.83 y anteriores con permiso par... • https://jenkins.io/security/advisory/2017-10-11 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000392
https://notcve.org/view.php?id=CVE-2017-1000392
26 Jan 2018 — Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. En Jenkins 2.88 y anteriores y 2.73 y anteriores, las sugerencias de autocompletar para los campos de texto no se escaparon, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS) persistente si el ... • http://www.securityfocus.com/bid/101773 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000391
https://notcve.org/view.php?id=CVE-2017-1000391
26 Jan 2018 — Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files. Jenkins, en versiones 2.88 y anteriores y versiones 2.73.2 y anteriores almacena metadatos relacionados con "people", que incl... • http://www.securityfocus.com/bid/101773 • CWE-20: Improper Input Validation •
CVSS: 2.2EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000401
https://notcve.org/view.php?id=CVE-2017-1000401
26 Jan 2018 — The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets,