Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2014-2066

Summary
Assigner-debian
Assigner Org ID-79363d38-fa19-49d1-9214-5f28da3f3ac5
Published At-17 Oct, 2014 | 15:00
Updated At-06 Aug, 2024 | 09:58
Rejected At-
Credits

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:debian
Assigner Org ID:79363d38-fa19-49d1-9214-5f28da3f3ac5
Published At:17 Oct, 2014 | 15:00
Updated At:06 Aug, 2024 | 09:58
Rejected At:
▼CVE Numbering Authority (CNA)

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2014/02/21/2
mailing-list
x_refsource_MLIST
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
x_refsource_CONFIRM
Hyperlink: https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.openwall.com/lists/oss-security/2014/02/21/2
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a
x_refsource_CONFIRM
x_transferred
http://www.openwall.com/lists/oss-security/2014/02/21/2
mailing-list
x_refsource_MLIST
x_transferred
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2014/02/21/2
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@debian.org
Published At:17 Oct, 2014 | 15:55
Updated At:06 May, 2026 | 22:30

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches

Jenkins
jenkins
>>jenkins>>Versions up to 1.532.1(inclusive)
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Jenkins
jenkins
>>jenkins>>Versions up to 1.550(inclusive)
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2014/02/21/2security@debian.org
N/A
https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842asecurity@debian.org
Patch
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14security@debian.org
Vendor Advisory
http://www.openwall.com/lists/oss-security/2014/02/21/2af854a3a-2127-422b-91ae-364da2661108
N/A
https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842aaf854a3a-2127-422b-91ae-364da2661108
Patch
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2014/02/21/2
Source: security@debian.org
Resource: N/A
Hyperlink: https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a
Source: security@debian.org
Resource:
Patch
Hyperlink: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Source: security@debian.org
Resource:
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2014/02/21/2
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

282Records found

CVE-2019-10468
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.77%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-kubernetes_ciJenkins ElasticBox Jenkins Kubernetes CI/CD Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10471
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.77%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-libvirt_slavesJenkins Libvirt Slaves Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10368
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.80% / 52.08%
||
7 Day CHG~0.00%
Published-07 Aug, 2019 | 14:20
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-jcloudsJenkins JClouds Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10310
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.52% / 71.60%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 12:25
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins

Action-Not Available
Vendor-Jenkins
Product-ansible_towerJenkins Ansible Tower Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10338
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.04% / 59.69%
||
7 Day CHG~0.00%
Published-11 Jun, 2019 | 13:15
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials.

Action-Not Available
Vendor-Jenkins
Product-jx_resourcesJenkins JX Resources Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10359
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-6.3||MEDIUM
EPSS-0.61% / 44.69%
||
7 Day CHG~0.00%
Published-31 Jul, 2019 | 12:45
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

Action-Not Available
Vendor-Jenkins
Product-m2releaseJenkins Maven Release Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10437
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.84% / 53.23%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-crx_content_package_deployerJenkins CRX Content Package Deployer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10462
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-0.70% / 48.62%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-dynatrace_application_monitoringJenkins Dynatrace Application Monitoring Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10464
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.77% / 50.99%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 12:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.

Action-Not Available
Vendor-Jenkins
Product-deploy_weblogicJenkins Deploy WebLogic Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10315
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-2.12% / 79.66%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 12:25
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.

Action-Not Available
Vendor-Jenkins
Product-github_authenticationJenkins GitHub Authentication Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1003007
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.21% / 64.70%
||
7 Day CHG~0.00%
Published-06 Feb, 2019 | 16:00
Updated-17 Sep, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.

Action-Not Available
Vendor-Jenkins
Product-warningsJenkins Warnings Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1003008
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.15% / 63.02%
||
7 Day CHG~0.00%
Published-06 Feb, 2019 | 16:00
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.

Action-Not Available
Vendor-Jenkins
Product-warnings_next_generationJenkins Warnings Next Generation Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1003049
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-2.11% / 79.54%
||
7 Day CHG~0.00%
Published-10 Apr, 2019 | 20:12
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Action-Not Available
Vendor-Oracle CorporationRed Hat, Inc.Jenkins
Product-communications_cloud_native_core_automated_test_suitejenkinsopenshift_container_platformJenkins
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2018-1000149
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.6||MEDIUM
EPSS-0.72% / 49.32%
||
7 Day CHG~0.00%
Published-05 Apr, 2018 | 13:00
Updated-16 Sep, 2024 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default.

Action-Not Available
Vendor-n/aJenkins
Product-ansiblen/a
CVE-2018-1000151
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.6||MEDIUM
EPSS-0.43% / 34.19%
||
7 Day CHG~0.00%
Published-05 Apr, 2018 | 13:00
Updated-16 Sep, 2024 | 23:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default.

Action-Not Available
Vendor-n/aJenkins
Product-vspheren/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2018-1000014
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.85% / 53.60%
||
7 Day CHG~0.00%
Published-23 Jan, 2018 | 14:00
Updated-05 Aug, 2024 | 12:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.

Action-Not Available
Vendor-n/aJenkins
Product-translation_assistancen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1000013
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.04% / 59.75%
||
7 Day CHG~0.00%
Published-23 Jan, 2018 | 14:00
Updated-05 Aug, 2024 | 12:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.

Action-Not Available
Vendor-n/aJenkins
Product-releasen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-2648
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-1.42% / 69.62%
||
7 Day CHG~0.00%
Published-27 Jul, 2018 | 20:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.

Action-Not Available
Vendor-Jenkins
Product-ssh_slavesjenkins-ssh-slaves-plugin
CWE ID-CWE-295
Improper Certificate Validation
CVE-2017-1000244
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.83% / 53.13%
||
7 Day CHG~0.00%
Published-01 Nov, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification

Action-Not Available
Vendor-n/aJenkins
Product-favoriten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000503
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-1.17% / 63.48%
||
7 Day CHG~0.00%
Published-24 Jan, 2018 | 23:00
Updated-16 Sep, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2017-1000504
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-1.04% / 59.68%
||
7 Day CHG~0.00%
Published-24 Jan, 2018 | 23:00
Updated-05 Aug, 2024 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000093
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.80%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.

Action-Not Available
Vendor-n/aJenkins
Product-poll_scmn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000090
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.80%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.

Action-Not Available
Vendor-n/aJenkins
Product-role-based_authorization_strategyn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-30972
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.55%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:06
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Action-Not Available
Vendor-Jenkins
Product-storage_configsJenkins Storable Configs Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-28136
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.23%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:30
Updated-15 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-jiratestresultreporterJenkins JiraTestResultReporter Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-25198
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.52% / 40.24%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-scp_publisherJenkins SCP publisher Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-25207
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.71% / 48.86%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

Action-Not Available
Vendor-Jenkins
Product-chef_sinatraJenkins Chef Sinatra Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-21638
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.83% / 53.11%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 11:10
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-team_foundation_serverJenkins Team Foundation Server Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-34203
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.50% / 39.30%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 14:41
Updated-03 Aug, 2024 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server.

Action-Not Available
Vendor-Jenkins
Product-easyqaJenkins EasyQA Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-34200
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.50% / 39.30%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 14:41
Updated-03 Aug, 2024 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL.

Action-Not Available
Vendor-Jenkins
Product-convertigo_mobile_platformJenkins Convertigo Mobile Platform Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1000153
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.18%
||
7 Day CHG~0.00%
Published-05 Apr, 2018 | 13:00
Updated-16 Sep, 2024 | 23:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").

Action-Not Available
Vendor-n/aJenkins
Product-vspheren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-2649
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.96% / 57.16%
||
7 Day CHG~0.00%
Published-27 Jul, 2018 | 20:00
Updated-16 Sep, 2024 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.

Action-Not Available
Vendor-Jenkins
Product-active_directoryActive Directory Jenkins plugin
CWE ID-CWE-295
Improper Certificate Validation
CVE-2017-2652
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-1.42% / 69.60%
||
7 Day CHG~0.00%
Published-27 Jul, 2018 | 20:00
Updated-16 Sep, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.

Action-Not Available
Vendor-Jenkins
Product-distributed_forkDistFork Jenkins plugin
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-287
Improper Authentication
CVE-2017-1000354
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.24% / 65.47%
||
7 Day CHG~0.00%
Published-29 Jan, 2018 | 17:00
Updated-05 Aug, 2024 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2017-1000106
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.5||HIGH
EPSS-0.76% / 50.68%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name.

Action-Not Available
Vendor-n/aJenkins
Product-blue_oceann/a
CWE ID-CWE-287
Improper Authentication
CVE-2015-5298
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.59% / 43.90%
||
7 Day CHG~0.00%
Published-07 Jul, 2022 | 18:35
Updated-06 Aug, 2024 | 06:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.

Action-Not Available
Vendor-n/aJenkins
Product-google_loginJenkins Google Login Plugin
CWE ID-CWE-287
Improper Authentication
CVE-2014-2062
Matching Score-6
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-6
Assigner-Debian GNU/Linux
CVSS Score-6.5||MEDIUM
EPSS-1.75% / 75.06%
||
7 Day CHG~0.00%
Published-17 Oct, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-47806
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-0.64% / 46.02%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 15:35
Updated-06 May, 2025 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

Action-Not Available
Vendor-Jenkins
Product-openid_connect_authenticationJenkins OpenId Connect Authentication Pluginjenkins_openid_connect_authentication_plugin
CWE ID-CWE-287
Improper Authentication
CVE-2024-47807
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-0.64% / 46.01%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 15:35
Updated-06 May, 2025 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

Action-Not Available
Vendor-Jenkins
Product-openid_connect_authenticationJenkins OpenId Connect Authentication Pluginjenkins_openid_connect_authentication_plugin
CWE ID-CWE-287
Improper Authentication
CVE-2018-1999045
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.87% / 54.49%
||
7 Day CHG~0.00%
Published-23 Aug, 2018 | 18:00
Updated-17 Sep, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Action-Not Available
Vendor-n/aJenkins
Product-jenkinsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2017-2604
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.35% / 68.09%
||
7 Day CHG~0.00%
Published-15 May, 2018 | 21:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

Action-Not Available
Vendor-[UNKNOWN]Jenkins
Product-jenkinsjenkins
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CWE ID-CWE-287
Improper Authentication
CVE-2017-1000110
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.72% / 49.29%
||
7 Day CHG~0.00%
Published-04 Oct, 2017 | 01:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean.

Action-Not Available
Vendor-n/aJenkins
Product-blue_oceann/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-47889
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 45.14%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 20:35
Updated-12 Jun, 2025 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

Action-Not Available
Vendor-Jenkins
Product-wso2_oauthJenkins WSO2 Oauth Plugin
CWE ID-CWE-287
Improper Authentication
CVE-2011-1561
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-2.05% / 78.91%
||
7 Day CHG~0.00%
Published-05 Apr, 2011 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The LDAP login feature in bos.rte.security 6.1.6.4 in IBM AIX 6.1, when ldap_auth is enabled in ldap.cfg, allows remote attackers to bypass authentication via a login attempt with an arbitrary password.

Action-Not Available
Vendor-n/aIBM Corporation
Product-aixn/a
CWE ID-CWE-287
Improper Authentication
CVE-2003-1475
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.38% / 68.82%
||
7 Day CHG~0.00%
Published-24 Oct, 2007 | 23:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netbus 1.5 through 1.7 allows more than one client to be connected at the same time, but only prompts the first connection for authentication, which allows remote attackers to gain access.

Action-Not Available
Vendor-netbusn/a
Product-netbusn/a
CWE ID-CWE-287
Improper Authentication
CVE-2003-1434
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.11% / 61.86%
||
7 Day CHG~0.00%
Published-23 Oct, 2007 | 01:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

login_ldap 3.1 and 3.2 allows remote attackers to initiate unauthenticated bind requests if (1) bind_anon_dn is on, which allows a bind with no password provided, (2) bind_anon_cred is on, which allows a bind with no DN, or (3) bind_anon is on, which allows a bind with no DN or password.

Action-Not Available
Vendor-pete_wernern/a
Product-login_ldapn/a
CWE ID-CWE-287
Improper Authentication
CVE-2015-7882
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-1.76% / 75.19%
||
7 Day CHG~0.00%
Published-19 Jul, 2019 | 15:44
Updated-06 Aug, 2024 | 08:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication bypass when using LDAP authentication in MongoDB Enterprise Server

Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.

Action-Not Available
Vendor-n/aMongoDB, Inc.
Product-mongodbn/a
CWE ID-CWE-287
Improper Authentication
CVE-2015-6817
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-8.1||HIGH
EPSS-2.16% / 79.99%
||
7 Day CHG~0.00%
Published-23 May, 2017 | 03:56
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.

Action-Not Available
Vendor-pgbouncern/a
Product-pgbouncern/a
CWE ID-CWE-287
Improper Authentication
CVE-2011-0438
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.53% / 71.62%
||
7 Day CHG~0.00%
Published-15 Mar, 2011 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nslcd/pam.c in the nss-pam-ldapd 0.8.0 PAM module returns a success code when a user is not found in LDAP, which allows remote attackers to bypass authentication.

Action-Not Available
Vendor-arthurdejongn/a
Product-nss-pam-ldapdn/a
CWE ID-CWE-287
Improper Authentication
CVE-2001-1585
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.92% / 77.45%
||
7 Day CHG~0.00%
Published-06 Oct, 2007 | 21:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.

Action-Not Available
Vendor-n/aOpenBSD
Product-opensshn/a
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found