CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000396
https://notcve.org/view.php?id=CVE-2017-1000396
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. Jenkins 2.73.1 y anteriores y 2.83 y anteriores incluía una versión de la ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000395
https://notcve.org/view.php?id=CVE-2017-1000395
26 Jan 2018 — Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator. Jenkins 2.73.1 y anteriores y 2.83 y anteriores proporciona información so... • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000398
https://notcve.org/view.php?id=CVE-2017-1000398
26 Jan 2018 — The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks. La API remota en Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /computer/(agent-name)/api mostraba información sobre ... • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000504
https://notcve.org/view.php?id=CVE-2017-1000504
24 Jan 2018 — A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. Una condición de carrera durante el inicio de Jenkins 2.94 y anteriores y 2.89.1 y anteriores podría desembocar en un orden ... • https://jenkins.io/security/advisory/2017-12-14 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000503
https://notcve.org/view.php?id=CVE-2017-1000503
24 Jan 2018 — A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. Una condición de carrera durante el inicio de Jenkins 2.81 hasta la versión 2.94 (incluida) y la versión 2.89.1 podría desembocar en un orden incorrecto de ejecu... • https://jenkins.io/security/advisory/2017-12-14 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17383
https://notcve.org/view.php?id=CVE-2017-17383
06 Dec 2017 — Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. Jenkins hasta la versión 2.93 permite que administradores remotos no autenticados lleven a cabo ataques de XSS mediante un nombre de herramienta manipulado en un formulario de configuración de trabajos, tal y como demuestra la herramienta JDK en Jenkins core y la herram... • http://vsintelli.com/portal/blog/23-security-advisory-2017-12-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 40EXPL: 0CVE-2014-9635
https://notcve.org/view.php?id=CVE-2014-9635
12 Sep 2017 — Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. Jenkins en versiones anteriores a la 1.586 no establece el indicador "HttpOnly" en un encabezado Set-Cookie para cookies de sesión cuando se ejecuta en Tomcat 7.0.41 o siguientes, lo que facilita que los atacantes remotos obtengan información potencialmente sensib... • http://www.openwall.com/lists/oss-security/2015/01/22/3 • CWE-254: 7PK - Security Features •
CVSS: 5.3EPSS: 0%CPEs: 40EXPL: 0CVE-2014-9634
https://notcve.org/view.php?id=CVE-2014-9634
12 Sep 2017 — Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. Jenkins en versiones anteriores a la 1.586 no establece el indicador "secure" cuando se ejecuta en Tomcat 7.0.41 o posterior, lo que facilita que los atacantes remotos capturen cookies interceptando su transmisión en una sesión HTML. • http://www.openwall.com/lists/oss-security/2015/01/22/3 • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000362
https://notcve.org/view.php?id=CVE-2017-1000362
13 Jul 2017 — The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. • https://jenkins.io/security/advisory/2017-02-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 97%CPEs: 3EXPL: 5CVE-2017-1000353 – CloudBees Jenkins 2.32.1 - Java Deserialization
https://notcve.org/view.php?id=CVE-2017-1000353
05 May 2017 — Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol fr... • https://packetstorm.news/files/id/159266 • CWE-502: Deserialization of Untrusted Data •