Search for packages
| purl | pkg:maven/org.jenkins-ci.main/jenkins-core@2.32.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1gnc-b5tg-3fhe
Aliases: CVE-2017-2598 GHSA-r9q2-3r6x-qmgp |
Inadequate Encryption Strength Jenkins uses `AES ECB` block cipher mode without an `IV` for encrypting secrets, which makes Jenkins and the stored secrets vulnerable to unnecessary risks. |
Affected by 1 other vulnerability. |
|
VCID-2zwg-a71p-r7hs
Aliases: CVE-2017-2611 GHSA-3297-944x-j7x7 |
Improper Privilege Management Jenkins is vulnerable to an insufficient permission check for periodic processes. |
Affected by 1 other vulnerability. |
|
VCID-6cw8-67c2-1ugk
Aliases: CVE-2017-2606 GHSA-6967-9vvv-4cmm |
Information Exposure Jenkins is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible. This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an `UnprotectedRootAction`. |
Affected by 1 other vulnerability. |
|
VCID-8u35-jee9-5qes
Aliases: CVE-2017-2600 GHSA-wj5c-j656-h5fw |
Information Exposure In Jenkins, monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes. |
Affected by 1 other vulnerability. |
|
VCID-fndu-scdw-jueh
Aliases: CVE-2017-2604 GHSA-m93h-5qmx-pphg |
Improper Authentication In Jenkins, low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks. |
Affected by 1 other vulnerability. |
|
VCID-h23h-s8t3-byhr
Aliases: CVE-2017-2610 GHSA-jff5-55xj-4jcq |
Cross-site Scripting Jenkins is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names. |
Affected by 1 other vulnerability. |
|
VCID-hgy1-h6aj-dbbu
Aliases: CVE-2017-2609 GHSA-v222-w2mw-xjc6 |
Information Exposure Jenkins is vulnerable to an information disclosure vulnerability in search suggestions. The `autocomplete` feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. |
Affected by 1 other vulnerability. |
|
VCID-kbj2-ymsz-5qe8
Aliases: CVE-2017-2603 GHSA-x55p-6526-xmmp |
Information Exposure Jenkins is vulnerable to a user data leak in disconnected agents' `config.xml` API. This could leak sensitive data such as API tokens. |
Affected by 1 other vulnerability. |
|
VCID-kzfk-8p92-3bgs
Aliases: CVE-2017-2607 GHSA-42m6-7xff-9v9m |
Cross-site Scripting Jenkins is vulnerable to a persisted cross-site scripting vulnerability in console notes. Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. |
Affected by 1 other vulnerability. |
|
VCID-q58h-d9w2-8yez
Aliases: CVE-2017-2602 GHSA-ffgg-vphh-v273 |
Information Exposure Jenkins is vulnerable to an improper exclusion of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents. |
Affected by 1 other vulnerability. |
|
VCID-rhrm-caa2-9kae
Aliases: CVE-2017-2599 GHSA-7r4h-2h23-6jq9 |
Improper Privilege Management Jenkins is vulnerable to an insufficient permission check. This allows users with permissions to create new items to overwrite existing items they don't have access to. |
Affected by 1 other vulnerability. |
|
VCID-v2ky-wpb2-6qhk
Aliases: CVE-2017-2601 GHSA-r69c-5j7c-vm6q |
Cross-site Scripting Jenkins is vulnerable to a persisted cross-site scripting in parameter names and descriptions. Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. |
Affected by 1 other vulnerability. |
|
VCID-wb3y-k94s-eyb4
Aliases: CVE-2017-2608 GHSA-fwqr-3pvp-pjwq |
Deserialization of Untrusted Data Jenkins is vulnerable to a remote code execution vulnerability involving the deserialization of various types in `javax.imageio` in XStream-based APIs. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-yw8v-fqar-z7b5
Aliases: CVE-2017-2612 GHSA-wf9g-rh76-6jvr |
Incorrect Permission Assignment for Critical Resource In Jenkins low privilege users were able to override JDK download credentials, resulting in future builds possibly failing to download a JDK. |
Affected by 1 other vulnerability. |
|
VCID-zb9r-zjt8-wqae
Aliases: CVE-2017-2613 GHSA-pwv6-872c-gcg6 |
Cross-Site Request Forgery (CSRF) Jenkins is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create user records. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1gnc-b5tg-3fhe | Inadequate Encryption Strength Jenkins uses `AES ECB` block cipher mode without an `IV` for encrypting secrets, which makes Jenkins and the stored secrets vulnerable to unnecessary risks. |
CVE-2017-2598
GHSA-r9q2-3r6x-qmgp |
| VCID-6cw8-67c2-1ugk | Information Exposure Jenkins is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible. This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an `UnprotectedRootAction`. |
CVE-2017-2606
GHSA-6967-9vvv-4cmm |
| VCID-8u35-jee9-5qes | Information Exposure In Jenkins, monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes. |
CVE-2017-2600
GHSA-wj5c-j656-h5fw |
| VCID-fndu-scdw-jueh | Improper Authentication In Jenkins, low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks. |
CVE-2017-2604
GHSA-m93h-5qmx-pphg |
| VCID-h23h-s8t3-byhr | Cross-site Scripting Jenkins is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names. |
CVE-2017-2610
GHSA-jff5-55xj-4jcq |
| VCID-hgy1-h6aj-dbbu | Information Exposure Jenkins is vulnerable to an information disclosure vulnerability in search suggestions. The `autocomplete` feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. |
CVE-2017-2609
GHSA-v222-w2mw-xjc6 |
| VCID-kbj2-ymsz-5qe8 | Information Exposure Jenkins is vulnerable to a user data leak in disconnected agents' `config.xml` API. This could leak sensitive data such as API tokens. |
CVE-2017-2603
GHSA-x55p-6526-xmmp |
| VCID-kzfk-8p92-3bgs | Cross-site Scripting Jenkins is vulnerable to a persisted cross-site scripting vulnerability in console notes. Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. |
CVE-2017-2607
GHSA-42m6-7xff-9v9m |
| VCID-q58h-d9w2-8yez | Information Exposure Jenkins is vulnerable to an improper exclusion of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents. |
CVE-2017-2602
GHSA-ffgg-vphh-v273 |
| VCID-rhrm-caa2-9kae | Improper Privilege Management Jenkins is vulnerable to an insufficient permission check. This allows users with permissions to create new items to overwrite existing items they don't have access to. |
CVE-2017-2599
GHSA-7r4h-2h23-6jq9 |
| VCID-sanw-xj8r-1kbb | Information Exposure The re-key admin monitor in Jenkins re-encrypts all secrets in `JENKINS_HOME` with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups are world-readable and not removed. |
CVE-2017-1000362
GHSA-92mr-4w2q-4578 |
| VCID-v2ky-wpb2-6qhk | Cross-site Scripting Jenkins is vulnerable to a persisted cross-site scripting in parameter names and descriptions. Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. |
CVE-2017-2601
GHSA-r69c-5j7c-vm6q |
| VCID-wb3y-k94s-eyb4 | Deserialization of Untrusted Data Jenkins is vulnerable to a remote code execution vulnerability involving the deserialization of various types in `javax.imageio` in XStream-based APIs. |
CVE-2017-2608
GHSA-fwqr-3pvp-pjwq |
| VCID-yw8v-fqar-z7b5 | Incorrect Permission Assignment for Critical Resource In Jenkins low privilege users were able to override JDK download credentials, resulting in future builds possibly failing to download a JDK. |
CVE-2017-2612
GHSA-wf9g-rh76-6jvr |
| VCID-zb9r-zjt8-wqae | Cross-Site Request Forgery (CSRF) Jenkins is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create user records. |
CVE-2017-2613
GHSA-pwv6-872c-gcg6 |