298 matches found
CVE-2017-2603
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens SECURITY-362...
CVE-2017-2603
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens SECURITY-362...
Design/Logic Flaw
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens SECURITY-362...
CVE-2017-2603
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens SECURITY-362...
Snapchat: Open prod Jenkins instance
@prebenve found a Jenkins instance where they could login with any valid Google account. Once logged in, they gained access to sensitive API tokens. The access also included some source code disclosure for public apps and the ability to execute arbitrary code via the Jenkins Script Console...
CVE-2017-2603
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens SECURITY-362...
jenkins: Non-constant time comparison of API token (SECURITY-241)
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...
GitLab: Confidential issues leaked in public projects when attached to milestone
Vulnerability details When a confidential issue in a public or internal project is attached to a milestone, it is exposed through the GitLab API. Proof of concept As a victim, create a new public or internal project. Lets state that the project has ID 1. Create a milestone for this project. After...
GitLab: Attacker can delete (and read) private project webhooks
Vulnerability details An attacker can delete and read webhooks that are configured for all projects on a GitLab instance. This includes private projects. This is a bad vulnerability because these webhooks contain private API tokens most of the time. Proof of concept As a victim, create a project...
CVE-2016-0790
Jenkins CVE-2016-0790 affects Jenkins core before 1.650 and LTS before 1.642.2, where API token verification does not use a constant-time algorithm—enabling remote attackers to brute-force tokens. The linked sources confirm this cryptographic weakness and tie it to Jenkins releases prior to these...
Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities
The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the...
CVE-2015-5323
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user...
CVE-2015-5323
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user...
CVE-2015-5323
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user...
CVE-2015-5323
CVE-2015-5323 affects Jenkins: versions before 1.638 and the LTS line prior to 1.625.2 do not properly restrict access to API tokens, which could allow a remote administrator to gain privileges and run scripts using another user’s API token. Mitigation is to upgrade to Jenkins 1.638 or later, and...
X (Formerly Twitter): IDOR- Activate Mopub on different organizations- steal api token- Fabric.io
Hello, There is an option to enroll your organization in fabric.io for mopub , but this particular end point is missing proper authorization checks allowing any user to steal API tokens. Vulnerable request ================ POST /api/v3/organizations/5460d2394b793294df01104a/mopub/activate HTTP/1....
jenkins -- HTTP access to the server to retrieve the master cryptographic key
Jenkins Security Advisory reports: This advisory announces a security vulnerability that was found in Jenkins core. An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls. The...
Mandriva Update for krb5 MDVSA-2010:100 (krb5)
Check for the Version of krb5 OpenVAS Vulnerability Test Mandriva Update for krb5 MDVSA-2010:100 krb5 Authors: System Generated Check Copyright: Copyright c 2010 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under the ter...