Shodan
Vulnerabilities
Vulnerable Software
Jenkins:  >> Jenkins  >> 2.93  Security Vulnerabilities
CVE-2018-6356
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
CVSS Score
6.5
EPSS Score
0.378
Published
2018-02-20
CVE-2018-1000067
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
CVSS Score
5.3
EPSS Score
0.004
Published
2018-02-16
CVE-2018-1000068
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
CVSS Score
5.3
EPSS Score
0.003
Published
2018-02-16
CVE-2017-1000503
A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.
CVSS Score
8.1
EPSS Score
0.027
Published
2018-01-24
CVE-2017-1000504
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
CVSS Score
8.1
EPSS Score
0.011
Published
2018-01-24
CVE-2017-17383
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
CVSS Score
4.7
EPSS Score
0.002
Published
2017-12-06


Products
Pricing
Contact Us

Shodan ® - All rights reserved