VulnerableCode Package Details - pkg:rpm/redhat/jenkins-2-plugins@3.7.1502412812-1?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-1xxf-tjs3-zydm Aliases: CVE-2017-1000089 GHSA-8jx9-7j5m-79x4	Incorrect Default Permissions Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins.	There are no reported fixed by versions.
VCID-9s6y-pk9b-5uef Aliases: CVE-2017-1000085 GHSA-hrwc-pqfm-g6qf	Cross-Site Request Forgery (CSRF) Subversion Plugin connects to a user-specified Subversion repository as part of form validation. This functionality improperly checked permissions, allowing any user with `Item/Build` permission (but not `Item/Configure`) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.	There are no reported fixed by versions.
VCID-rkm8-dspy-byfm Aliases: CVE-2017-1000092 GHSA-rf5q-8gx3-xqfc	Cross-Site Request Forgery (CSRF) The Git plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.	There are no reported fixed by versions.
VCID-vnwr-bpsd-fff7 Aliases: CVE-2017-1000096 GHSA-mhwq-4mh7-fv7c	Incorrect Permission Assignment for Critical Resource Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1xxf-tjs3-zydm
Aliases:
CVE-2017-1000089
GHSA-8jx9-7j5m-79x4

Incorrect Default Permissions Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins.

There are no reported fixed by versions.

VCID-9s6y-pk9b-5uef
Aliases:
CVE-2017-1000085
GHSA-hrwc-pqfm-g6qf

Cross-Site Request Forgery (CSRF) Subversion Plugin connects to a user-specified Subversion repository as part of form validation. This functionality improperly checked permissions, allowing any user with `Item/Build` permission (but not `Item/Configure`) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

There are no reported fixed by versions.

VCID-rkm8-dspy-byfm
Aliases:
CVE-2017-1000092
GHSA-rf5q-8gx3-xqfc

Cross-Site Request Forgery (CSRF) The Git plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

There are no reported fixed by versions.

VCID-vnwr-bpsd-fff7
Aliases:
CVE-2017-1000096
GHSA-mhwq-4mh7-fv7c

Incorrect Permission Assignment for Critical Resource Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:30:02.433123+00:00	RedHat Importer	Affected by	VCID-vnwr-bpsd-fff7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000096.json	38.0.0
2026-04-01T14:30:02.228518+00:00	RedHat Importer	Affected by	VCID-rkm8-dspy-byfm	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000092.json	38.0.0
2026-04-01T14:30:02.054081+00:00	RedHat Importer	Affected by	VCID-1xxf-tjs3-zydm	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000089.json	38.0.0
2026-04-01T14:30:01.882174+00:00	RedHat Importer	Affected by	VCID-9s6y-pk9b-5uef	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000085.json	38.0.0