296 matches found
Design/Logic Flaw
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials...
CVE-2022-34798
CVE-2022-34798 affects Jenkins Deployment Dashboard Plugin (versions 1.0.10 and earlier). The issue is a missing permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials. This can ...
CVE-2022-34785
CVE-2022-34785 affects the Jenkins build-metrics Plugin (version 1.3 and earlier). The issue is that the plugin does not perform permission checks on multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs they would normally not have access to. P...
PT-2022-22350 · Jenkins · Jenkins Deployment Dashboard Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Deployment Dashboard Plugin versions 1.0.10 and earlier Description: The issue concerns a lack of permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP UR...
PT-2022-22330 · Xebialabs +1 · Xebialabs Xl Release Plugin +1
Name of the Vulnerable Software and Affected Versions: XebiaLabs XL Release Plugin versions 22.0.0 and earlier Description: A missing permission check in the XebiaLabs XL Release Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Th...
Jenkins Plugin Deployment Dashboard 安全漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is an application. Jenkins Plugin is an application that provides hundreds of plugins to support building, deploying, and automating any project. The vulnerability stems from not performing permission checks in multiple HTTP...
Path Traversal in Git HTTP endpoints in Gogs
Impact The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected. Patches Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds N/A References...
GHSA-6VCC-V9VW-G2X5 Path Traversal in Git HTTP endpoints in Gogs
Impact The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected. Patches Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds N/A References...
CSRF vulnerabilities in Jenkins requests-plugin Plugin
Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or...
GHSA-5FRH-WX6V-8M2R CSRF vulnerabilities in Jenkins requests-plugin Plugin
Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or...
Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an...
Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 require...
Missing permission checks in Jenkins OWASP Dependency-Track Plugin allow capturing credentials
Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
GHSA-XFRW-PCMC-R2P3 Missing permission checks in Jenkins OWASP Dependency-Track Plugin allow capturing credentials
Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
GHSA-V7XH-H48C-XW5F CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials
Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs
CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins if any of the following plugins are installed: - Amazon...
Missing permission checks in Jenkins Chaos Monkey Plugin
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to generate load and to generate memory leaks. Jenkins Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and t...
GHSA-MR75-899X-QCXQ Missing permission checks in Jenkins Chaos Monkey Plugin
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to generate load and to generate memory leaks. Jenkins Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and t...
CSRF vulnerability in Jenkins Shelve Project Plugin
Jenkins Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to shelve, unshelve, or delete a project. Jenkins Shelve Project Plugin 3.1 requires POST requests f...
GHSA-9F37-GGXM-H6WX CSRF vulnerability in Jenkins Shelve Project Plugin
Jenkins Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to shelve, unshelve, or delete a project. Jenkins Shelve Project Plugin 3.1 requires POST requests f...