VYPR

Maven package

org.jenkins-ci.main/jenkins-core

pkg:maven/org.jenkins-ci.main/jenkins-core

Vulnerabilities (249)

  • CVE-2017-1000356HigJan 29, 2018
    affected >= 2.50, < 2.57fixed 2.57

    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default

  • CVE-2017-1000355MedJan 29, 2018
    affected >= 2.50, < 2.57fixed 2.57

    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

  • CVE-2017-1000354HigJan 29, 2018
    affected >= 2.50, < 2.57fixed 2.57

    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a c

  • CVE-2017-1000353CriKEVJan 29, 2018
    affected >= 2.50, < 2.57fixed 2.57

    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that wo

  • CVE-2017-1000401LowJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log

  • CVE-2017-1000400MedJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This

  • CVE-2017-1000399MedJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Re

  • CVE-2017-1000398MedJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack

  • CVE-2017-1000396MedJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive depend

  • CVE-2017-1000395MedJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is in

  • CVE-2017-1000394HigJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

  • CVE-2017-1000393HigJan 26, 2018
    affected < 2.73.2fixed 2.73.2

    Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the

  • CVE-2017-1000392MedJan 26, 2018
    affected < 2.73.3fixed 2.73.3

    Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and gre

  • CVE-2017-1000391HigJan 26, 2018
    affected < 2.73.3fixed 2.73.3

    Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without

  • CVE-2017-1000504HigJan 24, 2018
    affected >= 2.81, < 2.89.2fixed 2.89.2

    A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins i

  • CVE-2017-1000503HigJan 24, 2018
    affected >= 2.81, < 2.89.2fixed 2.89.2

    A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple

  • CVE-2017-17383MedDec 6, 2017
    affected < 2.94fixed 2.94

    Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

  • CVE-2014-9635MedSep 12, 2017
    affected < 1.586fixed 1.586

    Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

  • CVE-2014-9634MedSep 12, 2017
    affected < 1.586fixed 1.586

    Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

  • CVE-2017-1000362CriJul 17, 2017
    affected >= 1.498, < 2.32.2fixed 2.32.2

    The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins n

Page 9 of 13