CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1812 – jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
https://notcve.org/view.php?id=CVE-2015-1812
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813. Vulnerabilidad de XSS en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, una vulnerabilidad diferente a CVE-2015-1813. Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205615 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 https://access.redhat.com/security/cve/CVE-2015-1812 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1807 – jenkins: directory traversal from artifacts via symlink (SECURITY-162)
https://notcve.org/view.php?id=CVE-2015-1807
Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts. Vulnerabilidad de salto de directorio en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados con ciertos permisos para leer archivos arbitrarios a través de un enlace simbólico, relacionado con los objetos de construcción. It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosure of information on the server. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205622 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1807 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1810 – jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)
https://notcve.org/view.php?id=CVE-2015-1810
The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name. La clase HudsonPrivateSecurityRealm en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 no restringe el acceso a nombres reservados cuando usan la configuración "base de datos de usuario propia Jenkins", lo que permite a atacantes remotos obtener privilegios creando un nombre reservado. It was discovered that the internal Jenkins user database did not restrict access to reserved names, allowing users to escalate privileges. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205627 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1810 • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1813 – jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
https://notcve.org/view.php?id=CVE-2015-1813
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812. Vulnerabilidad de XSS en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, una vulnerabilidad diferente a CVE-2015-1812. Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205615 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 https://access.redhat.com/security/cve/CVE-2015-1813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2064
https://notcve.org/view.php?id=CVE-2014-2064
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts. La función loadUserByUsername en hudson/security/HudsonPrivateSecurityRealm.java en Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a atacantes remotos determinar si existe un usuario relacionado con los intentos de acceso fallidos. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •