CVSS: 5.3EPSS: 0%CPEs: 40EXPL: 0CVE-2014-9634
https://notcve.org/view.php?id=CVE-2014-9634
12 Sep 2017 — Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. Jenkins en versiones anteriores a la 1.586 no establece el indicador "secure" cuando se ejecuta en Tomcat 7.0.41 o posterior, lo que facilita que los atacantes remotos capturen cookies interceptando su transmisión en una sesión HTML. • http://www.openwall.com/lists/oss-security/2015/01/22/3 • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000362
https://notcve.org/view.php?id=CVE-2017-1000362
13 Jul 2017 — The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. • https://jenkins.io/security/advisory/2017-02-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 97%CPEs: 3EXPL: 5CVE-2017-1000353 – CloudBees Jenkins 2.32.1 - Java Deserialization
https://notcve.org/view.php?id=CVE-2017-1000353
05 May 2017 — Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol fr... • https://packetstorm.news/files/id/159266 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 95%CPEs: 3EXPL: 3CVE-2016-9299 – Jenkins CLI - HTTP Java Deserialization
https://notcve.org/view.php?id=CVE-2016-9299
12 Jan 2017 — The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. El módulo remoting en Jenkins en versiones anteriores a 2.32 y LTS en versiones anteriores a 2.19.3 permite a atacantes remotos ejecutar código arbitrario a través de un objeto Java serializado, lo que desencadena una consulta LDAP a un servidor de terceros. • https://packetstorm.news/files/id/147665 • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3722 – jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)
https://notcve.org/view.php?id=CVE-2016-3722
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name." Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permiten a usuarios remotos autenticados con múltiples cuentas provocar una denegación de servicio (sin posibilidad de acceso) editando el "full name". OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service solution designed for... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3725 – jenkins: Regular users can trigger download of update site metadata (SECURITY-273)
https://notcve.org/view.php?id=CVE-2016-3725
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados desencadenar actualizaciones de metadatos provenientes de portales de actualización aprovechando la falta de comprobación ... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 1CVE-2016-3726 – jenkins: Open redirect to scheme-relative URLs (SECURITY-276)
https://notcve.org/view.php?id=CVE-2016-3726
17 May 2016 — Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs. Múltiples vulnerabilidades de redirección abierta en Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permiten a atacantes remotos redirigir usuarios a sitios web arbitrarios y realizar ataques de phishing a través de vectores no especificados rel... • https://packetstorm.news/files/id/143229 •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3723 – jenkins: Information on installed plugins exposed via API (SECURITY-250)
https://notcve.org/view.php?id=CVE-2016-3723
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con acceso a lectura obtener información sensible de instalación de plugin aprovechando la falta de comprobaciones de permisos en dispositivos XML/JSON API no especificad... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3724 – jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)
https://notcve.org/view.php?id=CVE-2016-3724
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con acceso avanzado a lectura obtener información sensible de contraseña leyendo la configuración de trabajo. OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service solution designed for ... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3727 – jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)
https://notcve.org/view.php?id=CVE-2016-3727
17 May 2016 — The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. La URL API computer/(master)/api/xml en Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con permiso avanzado de lectura para el nodo maestro obtener información sensible sobre la configur... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •