CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999003
https://notcve.org/view.php?id=CVE-2018-1999003
23 Jul 2018 — A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. Existe una vulnerabilidad de autorización incorrecta en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en Queue.java que permite que los atacantes con el permiso Overall/Read cancelen las builds en cola. • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-891 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999004
https://notcve.org/view.php?id=CVE-2018-1999004
23 Jul 2018 — A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. Existe una vulnerabilidad de autorización incorrecta en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en SlaveComputer.java que permite que los atacantes con el permiso Overall/Read inicien el arranque de los agentes y aborten el arranque en proceso de los agentes. • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-892 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999005
https://notcve.org/view.php?id=CVE-2018-1999005
23 Jul 2018 — A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. Existe una vulnerabilidad de Cross-Site Scripting (XSS), en Jenkins 2.132 y anteriores y 2.121.1 y anteriores, en BuildTimelineWidget.java y BuildTimelineWidget/control.jelly, que permit... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1999007
https://notcve.org/view.php?id=CVE-2018-1999007
23 Jul 2018 — A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en Jenkins 2.132 y anteriores y 2.121.1 y anteriores en... • https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 3EXPL: 0CVE-2018-1000192
https://notcve.org/view.php?id=CVE-2018-1000192
05 Jun 2018 — A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins. Existe una vulnerabilidad de exposición de información en Jenkins 2.120 y versiones anteriores, LTS 2.107.2 y versiones anteriores en AboutJenkins.java y ListPluginsCommand.java que permite a los usuarios con acceso Overall/Read enumerar todos los plugins instalados. • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-771 •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000193
https://notcve.org/view.php?id=CVE-2018-1000193
05 Jun 2018 — A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. Existe una vulnerabilidad de neutralización inadecuada de las secuencias de control en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en HudsonPrivateSecurityRealm... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.1EPSS: 1%CPEs: 3EXPL: 0CVE-2018-1000194
https://notcve.org/view.php?id=CVE-2018-1000194
05 Jun 2018 — A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection. Existe una vulnerabilidad de salto de directorio en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en FilePath.java y SoloFilePathFilter.java que permite a los agentes maliciosos leer y escribir archivos arbi... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-788 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 1%CPEs: 3EXPL: 0CVE-2018-1000195
https://notcve.org/view.php?id=CVE-2018-1000195
05 Jun 2018 — A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. Existe una vulnerabilidad Server-Side Request Forgery en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en ZipExtractionInstaller.java que permite a los usuarios con permiso Overall/Rea... • https://jenkins.io/security/advisory/2018-05-09/#SECURITY-794 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 34%CPEs: 3EXPL: 0CVE-2018-6356
https://notcve.org/view.php?id=CVE-2018-6356
20 Feb 2018 — Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. J... • http://www.openwall.com/lists/oss-security/2018/02/14/1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000067
https://notcve.org/view.php?id=CVE-2018-1000067
16 Feb 2018 — An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. Existe una sobrelectura de búfer basado en memoria dinámica (heap) en la función Exiv2::Image::byteSwap4 de image.cpp en la versión 0.26 de Exiv2. Los atacantes remotos pueden explotar esta vulnerabilidad para revelar datos de la memoria o provocar una denegación de servicio (DoS) med... • https://jenkins.io/security/advisory/2018-02-14/#SECURITY-506 • CWE-918: Server-Side Request Forgery (SSRF) •