Security Vulnerabilities - CVEs Published In April 2019
A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.0
Published
2019-04-30
Jenkins Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-04-30
Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-04-30
Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-04-30
Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-04-30
Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-04-30
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-04-30
The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVSS Score
7.0
EPSS Score
0.006
Published
2019-04-29
IBM Emptoris Contract Management 10.0.0 and 10.1.3.0 could disclose sensitive information from detailed information from error messages. IBM X-Force ID: 153657.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-04-29
IBM Jazz Reporting Service (JRS) 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 155006.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-04-29