Kohsuke Kawaguchi

6 exploits Active since Feb 2013
CVE-2017-12197 NOMISEC MEDIUM WORKING POC
libpam4j <1.9 - Auth Bypass
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
CVSS 6.5
CVE-2017-2649 NOMISEC HIGH WRITEUP
Jenkins Active Directory < 2.2 - Improper Certificate Validation
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
CVSS 8.1
CVE-2022-25174 NOMISEC HIGH WORKING POC
Jenkins Pipeline < 552.vd9cc05b8a2e1 - OS Command Injection
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVSS 8.8
CVE-2017-12197 NOMISEC MEDIUM WORKING POC
libpam4j <1.9 - Auth Bypass
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
CVSS 6.5
CVE-2017-2649 NOMISEC HIGH WRITEUP
Jenkins Active Directory < 2.2 - Improper Certificate Validation
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
CVSS 8.1
CVE-2013-0158 WRITEUP WRITEUP
Jenkins <1.498 - Info Disclosure
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.