GHSA-8WGF-3MRJ-73X7 Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...

CVE-2023-37918 API token authentication bypass in HTTP endpoints in Dapr

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HT...

Missing Permission Check

org.jenkins-ci.plugins:elasticbox is vulnerable to Missing Permission Checks. The vulnerability exists because the library does not perform permission checks in several HTTP endpoints, which allows an attacker to connect to URLs with credentials obtained through a deferent method, resulting in...

Cross-Site Request Forgery (CSRF)

org.jenkins-ci.plugins:elasticbox is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to not requiring POST requests for HTTP endpoints, allowing an attacker to connect to nefarious URLs using credentials obtained in another way, resulting in stealing credentials from...

Jenkins ElasticBox CI Plugin vulnerable to cross-site request forgery

Jenkins ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...

GHSA-GG44-XM5P-X9CM Jenkins ElasticBox CI Plugin missing permission check

Jenkins ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...

Jenkins mabl Plugin missing permission check

Jenkins mabl Plugin 0.0.46 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

Improper Validations

Jenkins Digital.ai App Management Publisher Plugin is vulnerable to Improper Validations. The vulnerability exists due to not performing permission checks in several HTTP endpoints which allows an attacker with read or overall permissions to capture sensitive data such as stored credentials...

plugin: missing permission checks in Blue Ocean Plugin

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server...

GHSA-5GHV-WXH9-7356 Jenkins Digital.ai App Management Publisher Plugin missing permission checks

Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

Jenkins Digital.ai App Management Publisher Plugin missing permission checks

Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

GHSA-R72X-2H45-P59X Jenkins Digital.ai App Management Publisher Plugin vulnerable to Cross-Site Request Forgery

Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

Jenkins Digital.ai App Management Publisher Plugin vulnerable to Cross-Site Request Forgery

Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

PT-2023-25168 · Digital.Ai +1 · Jenkins Digital.Ai App Management Publisher Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Digital.ai App Management Publisher Plugin versions 2.6 and earlier Description: A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials...

Cross-Site Request Forgery (CSRF)

Codedx is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists due to not performing several permission checks at http endpoints which allows an attacker with read permission to connect to a specific URL...

GHSA-MJMF-7WJW-F5XX Jenkins Code Dx Plugin missing permission checks

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request...

Jenkins Code Dx Plugin cross-site request forgery vulnerability

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request...

Jenkins Code Dx Plugin missing permission checks

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request...

Jenkins SAML Single Sign On(SSO) Plugin missing permission checks

Jenkins SAML Single Sign OnSSO Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins...

GHSA-3XF9-PGC2-MR9C Jenkins SAML Single Sign On(SSO) Plugin missing permission checks

Jenkins SAML Single Sign OnSSO Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins...