Search for packages
| purl | pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-syz5-rzv5-ukhb
Aliases: CVE-2017-1000356 GHSA-85wq-pqhp-hmq6 |
Cross-Site Request Forgery (CSRF) Jenkins is vulnerable to an issue in the Jenkins user database authentication realm. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yq9y-tdnu-2uc3
Aliases: CVE-2017-1000355 GHSA-4466-8jm4-448p |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ytyb-zk5y-6ub2
Aliases: CVE-2017-1000354 GHSA-r57f-7xw3-q2r9 |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-z5ns-74uq-4uef
Aliases: CVE-2017-1000353 GHSA-26wc-3wqp-g3rp |
Deserialization of Untrusted Data in Jenkins An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing denylist-based protection mechanism. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||