Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-1000119

Publication date:

05/10/2017

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000105

Publication date:

05/10/2017

The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000114

Publication date:

05/10/2017

The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000120

Publication date:

05/10/2017

[ERPNext][Frappe Version

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000118

Publication date:

05/10/2017

Akka HTTP versions

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000109

Publication date:

05/10/2017

The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000113

Publication date:

05/10/2017

The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000115

Publication date:

05/10/2017

Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000090

Publication date:

05/10/2017

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000088

Publication date:

05/10/2017

The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000087

Publication date:

05/10/2017

GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they&#39;d like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-1000085

Publication date:

05/10/2017

Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

Subscribe to Vulnerabilities