Jenkins: Security Vulnerabilities
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
CVSS Score
8.0
EPSS Score
0.007
Published
2018-03-27
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to retrieve some configuration information about Gerrit in Jenkins.
CVSS Score
4.3
EPSS Score
0.0
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to modify the Gerrit configuration in Jenkins.
CVSS Score
5.4
EPSS Score
0.001
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without Ownership related permissions to override ownership metadata.
CVSS Score
6.5
EPSS Score
0.0
Published
2018-03-13
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.
CVSS Score
6.1
EPSS Score
0.001
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs.
CVSS Score
4.3
EPSS Score
0.0
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.
CVSS Score
5.3
EPSS Score
0.13
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users.
CVSS Score
5.3
EPSS Score
0.0
Published
2018-03-13
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users.
CVSS Score
5.3
EPSS Score
0.001
Published
2018-03-13