Jenkins: Security Vulnerabilities
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-01-23
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-01-23
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-01-23
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-01-23
On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier.
CVSS Score
4.8
EPSS Score
0.0
Published
2018-01-23
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
CVSS Score
4.7
EPSS Score
0.002
Published
2017-12-06
Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure
CVSS Score
3.3
EPSS Score
0.0
Published
2017-11-01
Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites
CVSS Score
4.3
EPSS Score
0.0
Published
2017-11-01
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification
CVSS Score
8.8
EPSS Score
0.001
Published
2017-11-01
The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.
CVSS Score
9.8
EPSS Score
0.001
Published
2017-11-01