31 matches found
EUVD-2022-5435
Malicious code in bioql PyPI...
EUVD-2023-2522
Malicious code in bioql PyPI...
EUVD-2022-4336
Malicious code in bioql PyPI...
CVE-2023-41935
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce...
CVE-2023-24426
Jenkins Azure AD Plugin 303.va91ef20ee49f and earlier does not invalidate the previous session on login...
CVE-2021-21679
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins...
CVE-2020-2119
Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure...
CVE-2019-10318
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system...
Cross site request forgery (csrf)
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce...
CVE-2023-41935
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce...
CVE-2023-41935
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce...
CVE-2023-24426
Jenkins Azure AD Plugin 303.va91ef20ee49f and earlier does not invalidate the previous session on login...
Information disclosure
Jenkins Azure AD Plugin 303.va91ef20ee49f and earlier does not invalidate the previous session on login...
PT-2023-19586 · Jenkins · Jenkins Azure Ad Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Azure AD Plugin versions 303.va 91ef20ee49f and earlier Description: The issue is related to the Jenkins Azure AD Plugin not invalidating the previous session on login. This could potentially allow unauthorized access. Recommendations...
CVE-2023-24426
Jenkins Azure AD Plugin 303.va91ef20ee49f and earlier does not invalidate the previous session on login...
CVE-2023-24426
The CVE-2023-24426 entry refers to Jenkins Azure AD Plugin (versions 303.va_91ef20ee49f and earlier) that does not invalidate an existing session on login. This behavior can allow an attacker with social engineering to gain administrator access to Jenkins, per Jenkins advisory notes. The issue is...
Jenkins Azure AD Plugin allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Jenkins Azure AD Plugin implements this extension point for URLs used by a JavaScript component. In Jenkins Azure AD Plugin 179.vf6841393099e and earlier this implementation is...
GHSA-VVG2-HG3C-MQJ3 Client secret transmitted in plain text by Azure AD Plugin
Azure AD Plugin stores a client secret in its global configuration. While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions,...
Jenkins Enterprise and Operations Center < 2.249.32.0.2 / 2.277.41.0.2 / 2.303.1.6 Multiple Vulnerabilities (CloudBees Security Advisory 2021-08-31)
The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.x prior to 2.303.1.6, 2.249.x prior to 2.249.32.0.2, or 2.277.x prior to 2.277.41.0.2. It is, therefore, affected by multiple vulnerabilities, including the following: - Jenkins Code Coverage API...
CVE-2021-21679
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins...