CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2602
https://notcve.org/view.php?id=CVE-2017-2602
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una lista negra incorrecta de los archivos de metadatos de Pipeline en el subsistema de seguridad de agente-maestro. Esto podría permitir que los archivos de metadatos sean escritos por agentes maliciosos (SECURITY-358). • http://www.securityfocus.com/bid/95952 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2602 https://github.com/jenkinsci/jenkins/commit/414ff7e30aba66bed18c4ee8a8660fb36fc8c655 https://jenkins.io/security/advisory/2017-02-01 • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2612
https://notcve.org/view.php?id=CVE-2017-2612
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. En Jenkins en versiones anteriores a la 2.44 y 2.32.2, usuarios con pocos privilegios fueron capaces de omitir las credenciales de descarga JDK (SECURITY-392), lo que resulta en que las próximas builds no puedan descargar un JDK. • http://www.securityfocus.com/bid/95957 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612 https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722 https://jenkins.io/security/advisory/2017-02-01 • CWE-358: Improperly Implemented Security Check for Standard CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2608
https://notcve.org/view.php?id=CVE-2017-2608
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una vulnerabilidad de ejecución remota de código que implica la deserialización de varios tipos en javax.imageio en API basadas en XStream (SECURITY-383). • http://www.securityfocus.com/bid/95953 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2608 https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722 https://jenkins.io/security/advisory/2017-02-01 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2600
https://notcve.org/view.php?id=CVE-2017-2600
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). En Jenkins en versiones anteriores a la 2.44 y 2.32.2, los usuarios con privilegios bajos podrían visualizar los datos del monitor de nodos mediante la API remota. Estos datos incluyen la configuración del sistema y la información de arranque de estos nodos (SECURITY-343). • http://www.securityfocus.com/bid/95954 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600 https://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899 https://jenkins.io/security/advisory/2017-02-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-325: Missing Cryptographic Step •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2601
https://notcve.org/view.php?id=CVE-2017-2601
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. Jenkins en versiones anteriores a la 2.44, 2.32.2 es vulnerable a Cross-Site Scripting (XSS) persistente en nombres y descripciones de parámetros (SECURITY-353). Los usuarios con el permiso para configurar jobs pudieron inyectar JavaScript en nombres y descripciones de parámetro. • http://www.openwall.com/lists/oss-security/2022/04/12/5 http://www.openwall.com/lists/oss-security/2022/05/17/8 http://www.openwall.com/lists/oss-security/2022/06/22/3 http://www.openwall.com/lists/oss-security/2022/06/30/3 http://www.openwall.com/lists/oss-security/2022/10/19/3 http://www.securityfocus.com/bid/95960 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2601 https://github.com/jenkinsci/jenkins/commit/fd2e081b947124c90bcd97bfc55e1a7f2ef41a74 https • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •