Vulnerability Database

The Rapid7 Vulnerability Database is a list of 70,000 vulnerabilities for security analyst and researchers to identify and address known security issues through vulnerability management solutions. Each vulnerability has links to relevant groups like Mitre and other CVE Numbering Authorities as well as additional technical documentation. These vulnerabilities are utilized by our vulnerability management tool Nexpose and provided here for additional visibility.


Displaying vulnerability details 1 - 10 of 117882 in total

Jenkins Advisory 2017-10-11: CVE-2017-1000401: Form validation for password fields was sent via GET Vulnerability

  • Severity: 4
  • Published: November 19, 2017

The Jenkins default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files.Form va...

Jenkins Advisory 2017-11-08: CVE-2017-1000392: Persisted XSS vulnerability in autocompletion suggestions Vulnerability

  • Severity: 4
  • Published: November 19, 2017

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.Known previously unsafe sources for these suggestions include the names of loggers ...

Jenkins Advisory 2017-10-11: CVE-2017-1000400: "Job" remote API disclosed information about inaccessible upstream/downstream jobs Vulnerability

  • Severity: 4
  • Published: November 19, 2017

The remote API at contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Jenkins Advisory 2017-10-11: CVE-2017-1000395: "User" remote API disclosed users' email addresses Vulnerability

  • Severity: 4
  • Published: November 19, 2017

Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the remote API. This included e.g. Jenkins users' email addresses if the is installed.The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administra...

Jenkins Advisory 2017-11-08: CVE-2017-1000391: Unsafe use of user names as directory names Vulnerability

  • Severity: 4
  • Published: November 19, 2017

Jenkins stores metadata related to , which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems, such as the following:This is not limited to...

Jenkins Advisory 2017-10-11: CVE-2017-1000399: "Queue Item" remote API disclosed information about inaccessible jobs Vulnerability

  • Severity: 4
  • Published: November 19, 2017

The remote API at showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.<...