GHSA-XW6J-MQ6V-PMV6 Jenkins SAML Single Sign On(SSO) Plugin Cross-Site Request Forgery vulnerability

Jenkins SAML Single Sign OnSSO Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins...

GHSA-RV6G-3V76-CVF9 Jenkins Azure VM Agents Plugin missing permission checks

Jenkins Azure VM Agents Plugin 852.v8d35f0960a43 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another...

GHSA-Q77X-CXRQ-988J Jenkins Azure VM Agents Plugin missing permission checks

Jenkins Azure VM Agents Plugin 852.v8d35f0960a43 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another...

GHSA-3XF9-PGC2-MR9C Jenkins SAML Single Sign On(SSO) Plugin missing permission checks

Jenkins SAML Single Sign OnSSO Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins...

PT-2023-24121 · Jenkins · Jenkins Azure Vm Agents Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials I...

GHSA-X263-HP5C-P2RJ Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials. Additionally, these endpoints do not...

PT-2023-21895 · Jenkins · Jenkins Octoperf Load Testing Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins OctoPerf Load Testing Plugin Plugin versions 4.5.2 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials. T...

Denial of service in Jenkins Core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework usually through StaplerRequestgetFile and...

GHSA-JWR6-75XH-JH5J Synopsys Jenkins Coverity Plugin has Incorrect Default Permissions

Synopsys Coverity Plugin 3.0.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...

plugin: missing permission checks in Blue Ocean Plugin

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server...

Isode M-Link 安全漏洞

Isode M-Link is an Isode core instant messaging and status server based on the XMPP Extensible Messaging and Status Protocol standard from Isode UK. A security vulnerability exists in Isode M-Link versions R16.2v1 through R17.0v23, which stems from a vulnerability that allows unmanaged users to...

CVE-2022-47634

M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867...

CVE-2022-47634

M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867...

Design/Logic Flaw

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0...

Missing permission checks in Jenkins Katalon Plugin allow capturing credentials

Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials

Katalon Plugin 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...

Jenkins Compuware Topaz for Total Test Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

GHSA-X8J7-VXH9-P67G CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials

Katalon Plugin 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...

GHSA-5FVG-H778-JJJX Missing permission checks in Jenkins Katalon Plugin allow capturing credentials

Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

CVE-2022-43417

Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...