66 matches found
EUVD-2022-2729
Malicious code in bioql PyPI...
EUVD-2022-5828
Malicious code in bioql PyPI...
EUVD-2022-3853
Malicious code in bioql PyPI...
EUVD-2022-5482
Malicious code in bioql PyPI...
EUVD-2022-2931
Malicious code in bioql PyPI...
EUVD-2022-4521
Malicious code in bioql PyPI...
CVE-2019-10334
Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files...
CVE-2019-10333
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances...
CVE-2019-10335
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages...
CVE-2019-10336
A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin...
CVE-2019-10332
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials...
CVE-2019-10331
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials...
GHSA-66R6-RVV9-9X6M Jenkins ElectricFlow Plugin missing permission check
A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST...
GHSA-76X4-HR82-CG3M Jenkins ElectricFlow Plugin cross-site request forgery vulnerability
A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST...
GHSA-W3PJ-V9JR-V2WC Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability
The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. CloudBees ...
GHSA-M8F2-9282-X38V Jenkins ElectricFlow Plugin Missing permission checks
Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers...
GHSA-XMQV-PFW7-QMJ7 Jenkins ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation
CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment fo...
Jenkins ElectricFlow Plugin Missing permission checks
Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers...
Jenkins ElectricFlow Plugin missing permission check
A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST...
Jenkins ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation
CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment fo...