GHSA-5MWR-JG3R-JV66 Jenkins allows Cross-Site Scripting (XSS)

Cross-site scripting XSS vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message...

GHSA-89VC-7FRQ-2RFJ Jenkins has Local File Inclusion Vulnerability

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/...

GHSA-5XMF-9VGR-53MJ Jenkins allows Unauthorized Viewing of Queue API Information

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api...

jenkins: Secret key not verified when connecting a slave (SECURITY-184)

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave...

jenkins: Public value used for CSRF protection salt (SECURITY-169)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack...

jenkins: Information disclosure via sidepanel (SECURITY-192)

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages...

jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665...

PT-2015-7730 · Cloudbees +2 · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 1.638 Jenkins LTS versions prior to 1.625.2 Description: The issue allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic...

PT-2015-6850 · Cloudbees +1 · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 1.638 Jenkins LTS versions prior to 1.625.2 Description: The issue allows remote attackers to obtain sensitive job and build name information via a direct request to the Fingerprints pages. This is an information...