In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is...
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination...
9.8CVSS
7.2AI Score
0.003EPSS
Jenkins plugins Multiple Vulnerabilities (2022-05-17)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and...
8.8CVSS
8.3AI Score
0.002EPSS
Gshell - A Flexible And Scalable Cross-Plaform Shell Generator Tool
A simple yet flexible cross-platform shell generator tool. Name: G(Great) Shell Description: A cross-platform shell generator tool that lets you generate whichever shell you want, in any system you want, giving you full control and automation. If you find this tool helpful, then please give me a...
-0.7AI Score
Jenkins plugins Multiple Vulnerabilities (2022-02-15)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: Multiple Pipeline-related plugins that perform on-controller SCM checkouts reuse the same workspace directory for checkouts of distinct...
8.8CVSS
8.5AI Score
0.001EPSS
(RHSA-2022:4909) Important: OpenShift Container Platform 4.7.52 paackages and security update
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.52. See the following advisory for the container...
0.5AI Score
0.001EPSS
Insecure Pull Request Submission
Jenkins Pipeline: Shared Groovy is using insecure submission of pull request. It allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved...
5.3CVSS
5.7AI Score
0.001EPSS
5.5CVSS
6.5AI Score
0.0004EPSS
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers.....
9.8CVSS
2AI Score
0.003EPSS
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries. This allows attackers.....
9.8CVSS
2AI Score
0.003EPSS
Improper Input Validation in Jenkins Pipeline: Groovy Plugin
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed...
8.8CVSS
3.2AI Score
0.001EPSS
Improper Input Validation in Jenkins Pipeline: Groovy Plugin
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed...
8.8CVSS
8.3AI Score
0.001EPSS
Jenkins Splunk Plugin Sandbox Bypass
Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST...
8.8CVSS
7.7AI Score
0.001EPSS
Jenkins Splunk Plugin Sandbox Bypass
Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST...
8.8CVSS
7.6AI Score
0.001EPSS
Missing Authorization in Jenkins Pipeline: Shared Groovy Libraries Plugin
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global...
4.3CVSS
3.2AI Score
0.001EPSS
Missing Authorization in Jenkins Pipeline: Shared Groovy Libraries Plugin
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global...
4.3CVSS
3.2AI Score
0.001EPSS
Jenkins plugins Multiple Vulnerabilities (2022-04-12)
According to its their self-reported version number, the version of Jenkins plugins running on the remote web server are Jenkins CVS Plugin prior to 2.19.1, Credentials Plugin prior to 1112., Extended Choice Parameter Plugin 346. or earlier, Gerrit Trigger Plugin prior to 2.35.3, Git Parameter...
8.8CVSS
6.2AI Score
0.001EPSS
Jenkins Pipeline Security Feature Issue Vulnerability
Jenkins Pipeline is a set of plugins that support the implementation and integration of continuous delivery pipelines into Jenkins.Jenkins Pipeline: Groovy Plugin is vulnerable to a security feature issue that could be exploited by an attacker to load any Groovy source file on the class path of...
2.4AI Score
RHEL 8 : OpenShift Container Platform 4.9.33 (RHSA-2022:2205)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:2205 advisory. credentials: Stored XSS vulnerabilities in jenkins plugin (CVE-2022-29036) Jira: Stored XSS vulnerabilities in Jenkins Jira plugin...
5.4CVSS
6.1AI Score
0.001EPSS
(RHSA-2022:2205) Important: OpenShift Container Platform 4.9.33 packages and security update
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.33. See the following advisory for the container...
0.5AI Score
0.001EPSS
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could....
8.5CVSS
8.3AI Score
0.001EPSS
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could....
8.5CVSS
1.1AI Score
0.001EPSS
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed...
8.5CVSS
0.001EPSS
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed...
8.5CVSS
8.3AI Score
0.001EPSS
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed...
8.5CVSS
2.1AI Score
0.001EPSS
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed...
8.5CVSS
8.3AI Score
0.001EPSS
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed...
8.7AI Score
0.001EPSS
The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.10, or 2.x prior to 2.332.2.6. It is, therefore, affected by multiple vulnerabilities, including the following: Jenkins Pipeline: Shared Groovy Libraries Plugin...
8.8CVSS
6.2AI Score
0.001EPSS
Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...
6.5CVSS
2.1AI Score
0.001EPSS
Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...
6.5CVSS
2.1AI Score
0.001EPSS
Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI...
5.4CVSS
3.7AI Score
0.001EPSS
Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI...
5.4CVSS
3.7AI Score
0.001EPSS
Improper Access Control in Elasticsearch
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted...
7.4AI Score
0.856EPSS
Improper Access Control in Elasticsearch
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted...
9AI Score
0.856EPSS
Improper Limitation of a Pathname to a Restricted Directory in Jenkins
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java,...
6.5CVSS
3.6AI Score
0.001EPSS
Improper Limitation of a Pathname to a Restricted Directory in Jenkins
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java,...
6.5CVSS
3.6AI Score
0.001EPSS
Improper Privilege Management in Jenkins
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy...
8.8CVSS
6.2AI Score
0.003EPSS
Improper Privilege Management in Jenkins
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy...
8.8CVSS
6.2AI Score
0.003EPSS
Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure...
8.8CVSS
7.7AI Score
0.003EPSS
Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure...
8.8CVSS
8AI Score
0.003EPSS
Arbitrary code execution vulnerability in Jenkins Speaks! Plugin
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run...
8.8CVSS
7.2AI Score
0.001EPSS
Arbitrary code execution vulnerability in Jenkins Speaks! Plugin
Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run...
8.8CVSS
7AI Score
0.001EPSS
Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability
Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to...
8.8CVSS
7.7AI Score
0.001EPSS
Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability
Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to...
8.8CVSS
7.6AI Score
0.001EPSS
Jenkins CLI Deserialization of Untrusted Data vulnerability
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in...
9.8CVSS
9.8AI Score
0.737EPSS
Jenkins CLI Deserialization of Untrusted Data vulnerability
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in...
9.8CVSS
7.6AI Score
0.737EPSS
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized...
9.8CVSS
9.3AI Score
0.023EPSS
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized...
9.8CVSS
7.7AI Score
0.023EPSS
Deserialization of Untrusted Data in Groovy
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized...
9.8CVSS
5.2AI Score
0.037EPSS
Deserialization of Untrusted Data in Groovy
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized...
9.8CVSS
5.2AI Score
0.037EPSS