Jenkins: >> Jenkins Security Vulnerabilities
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).
CVSS Score
3.1
EPSS Score
0.001
Published
2018-05-15
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
CVSS Score
2.6
EPSS Score
0.0
Published
2018-05-15
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
CVSS Score
4.3
EPSS Score
0.001
Published
2018-05-15
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
CVSS Score
5.4
EPSS Score
0.0
Published
2018-05-15
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).
CVSS Score
4.3
EPSS Score
0.0
Published
2018-05-15
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
CVSS Score
8.8
EPSS Score
0.03
Published
2018-05-15
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
CVSS Score
5.4
EPSS Score
0.001
Published
2018-05-15
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-05-10
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
CVSS Score
4.3
EPSS Score
0.0
Published
2018-05-08
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
CVSS Score
4.3
EPSS Score
0.002
Published
2018-05-08