VYPR

Maven package

org.jenkins-ci.main/jenkins-core

pkg:maven/org.jenkins-ci.main/jenkins-core

Vulnerabilities (249)

  • CVE-2017-2598MedMay 23, 2018
    affected < 2.32.2fixed 2.32.2

    Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

  • CVE-2017-2609MedMay 22, 2018
    affected < 2.32.2fixed 2.32.2

    jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does n

  • CVE-2017-2607MedMay 21, 2018
    affected < 2.32.2fixed 2.32.2

    jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Mal

  • CVE-2017-2613MedMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

  • CVE-2017-2610MedMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).

  • CVE-2017-2604MedMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

  • CVE-2017-2603LowMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).

  • CVE-2017-2602LowMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).

  • CVE-2017-2612MedMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.

  • CVE-2017-2608HigMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

  • CVE-2017-2600MedMay 15, 2018
    affected < 2.32.2fixed 2.32.2

    In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

  • CVE-2017-2601MedMay 10, 2018
    affected < 2.32.2fixed 2.32.2

    Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

  • CVE-2017-2606MedMay 8, 2018
    affected < 2.32.2fixed 2.32.2

    Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of i

  • CVE-2017-2611MedMay 8, 2018
    affected < 2.44fixed 2.44

    Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these backgrou

  • CVE-2018-1000170MedApr 16, 2018
    affected >= 2.108, < 2.116fixed 2.116

    A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed

  • CVE-2018-1000169MedApr 16, 2018
    affected < 2.107.2fixed 2.107.2

    An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a C

  • CVE-2017-2599MedApr 11, 2018
    affected < 2.32.2fixed 2.32.2

    Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

  • CVE-2018-6356MedFeb 20, 2018
    affected < 2.89.4fixed 2.89.4

    Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not h

  • CVE-2018-1000068MedFeb 16, 2018
    affected < 2.89.4fixed 2.89.4

    An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on

  • CVE-2018-1000067MedFeb 16, 2018
    affected < 2.89.4fixed 2.89.4

    An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Page 8 of 13