Maven package
org.jenkins-ci.main/jenkins-core
pkg:maven/org.jenkins-ci.main/jenkins-core
Vulnerabilities (249)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-2223 | Med | 5.4 | < 2.235.2 | 2.235.2 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability. | |
| CVE-2020-2222 | Med | 5.4 | < 2.235.2 | 2.235.2 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability. | |
| CVE-2020-2221 | Med | 5.4 | < 2.235.2 | 2.235.2 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. | |
| CVE-2020-2220 | Med | 5.4 | < 2.235.2 | 2.235.2 | Jul 15, 2020 | Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. | |
| CVE-2020-2162 | Med | 5.4 | < 2.228 | 2.228 | Mar 25, 2020 | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. | |
| CVE-2020-2160 | Hig | 8.8 | < 2.204.6 | 2.204.6 | Mar 25, 2020 | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. | |
| CVE-2012-0785 | Hig | 7.5 | >= 1.425, < 1.447 | 1.447 | Feb 24, 2020 | Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack." | |
| CVE-2020-2105 | Med | 5.4 | < 2.204.2 | 2.204.2 | Jan 29, 2020 | REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. | |
| CVE-2020-2104 | Med | 4.3 | < 2.204.2 | 2.204.2 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. | |
| CVE-2020-2103 | Med | 5.4 | >= 2.205, < 2.219 | 2.219 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page. | |
| CVE-2020-2102 | Med | 5.3 | < 2.204.2 | 2.204.2 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC. | |
| CVE-2020-2101 | Med | 5.3 | < 2.204.2 | 2.204.2 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret. | |
| CVE-2020-2100 | Med | 5.8 | < 2.204.2 | 2.204.2 | Jan 29, 2020 | Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848. | |
| CVE-2020-2099 | Hig | 8.6 | < 2.204.2 | 2.204.2 | Jan 29, 2020 | Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jen | |
| CVE-2015-1811 | Hig | 7.5 | >= 1.597, < 1.600 | 1.600 | Jan 15, 2020 | XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document. | |
| CVE-2015-1809 | Hig | 7.5 | >= 1.597, < 1.600 | 1.600 | Jan 15, 2020 | XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query. | |
| CVE-2012-4439 | Med | 6.1 | < 1.466.2 | 1.466.2 | Nov 18, 2019 | Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins. | |
| CVE-2012-4438 | Hig | 8.8 | < 1.466.2 | 1.466.2 | Nov 18, 2019 | Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code. | |
| CVE-2019-10406 | Med | 4.8 | < 2.176.4 | 2.176.4 | Sep 25, 2019 | Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | |
| CVE-2019-10405 | Med | 5.4 | < 2.176.4 | 2.176.4 | Sep 25, 2019 | Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. |
- affected < 2.235.2fixed 2.235.2
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.
- affected < 2.235.2fixed 2.235.2
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
- affected < 2.235.2fixed 2.235.2
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
- affected < 2.235.2fixed 2.235.2
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
- affected < 2.228fixed 2.228
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
- affected < 2.204.6fixed 2.204.6
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
- affected >= 1.425, < 1.447fixed 1.447
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack."
- affected < 2.204.2fixed 2.204.2
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
- affected < 2.204.2fixed 2.204.2
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.
- affected >= 2.205, < 2.219fixed 2.219
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
- affected < 2.204.2fixed 2.204.2
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
- affected < 2.204.2fixed 2.204.2
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
- affected < 2.204.2fixed 2.204.2
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
- affected < 2.204.2fixed 2.204.2
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jen
- affected >= 1.597, < 1.600fixed 1.600
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.
- affected >= 1.597, < 1.600fixed 1.600
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.
- affected < 1.466.2fixed 1.466.2
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.
- affected < 1.466.2fixed 1.466.2
Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.
- affected < 2.176.4fixed 2.176.4
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
- affected < 2.176.4fixed 2.176.4
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Page 5 of 13