Lucene search
+L

372 matches found

Github Security Blog
Github Security Blog
added 2024/05/02 3:30 p.m.40 views

Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies

Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call ...

9.8CVSS7.8AI score0.48081EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2024/05/02 2:15 p.m.24 views

CVE-2024-34144

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377ae and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the contex...

9.8CVSS7AI score0.48081EPSS
Exploits0References2
CVE
CVE
added 2024/05/02 1:28 p.m.94 views

CVE-2024-34147

CVE-2024-34147 affects the Jenkins Telegram Bot Plugin (versions 1.4.0 and earlier). The vulnerability stems from storing the Telegram Bot token in plaintext in the global configuration file on the Jenkins controller (jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml), which can be...

4.3CVSS6.6AI score0.0052EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2024/05/02 1:28 p.m.84 views

CVE-2024-34144

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377ae and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the contex...

7.4AI score0.48081EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2024/05/02 1:28 p.m.9 views

CVE-2024-34144

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377ae and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the contex...

9.8CVSS7.9AI score0.48081EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/05/02 12:0 a.m.59 views

Jenkins plugins Multiple Vulnerabilities (2024-05-02)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - High Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are...

9.8CVSS6.9AI score0.48081EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2024/02/12 10:38 a.m.3 views

jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with...

8.8CVSS6.1AI score0.00585EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2024/02/12 10:27 a.m.8 views

jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with...

8.8CVSS6.1AI score0.00585EPSS
Exploits0References5
Veracode
Veracode
added 2024/01/29 9:10 a.m.24 views

Arbitrary File Read

Jenkins Git server Plugin is vulnerable to Information Disclosure. The vulnerability is caused due to a lack of proper input validation in the Git Server Plugin's command parser feature. This allows an attacker with Overall/Read permission to read content from arbitrary files on the Jenkins...

6.5CVSS6.6AI score0.01262EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2024/01/24 6:31 p.m.25 views

GHSA-VPH5-2Q33-7R9H Arbitrary file read vulnerability in Git server Plugin can lead to RCE

Jenkins Git server Plugin uses the args4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents...

8.8CVSS7.8AI score0.01262EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2024/01/24 6:31 p.m.44 views

Arbitrary file read vulnerability in Git server Plugin can lead to RCE

Jenkins Git server Plugin uses the args4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents...

6.5CVSS6.5AI score0.01262EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2024/01/24 5:52 p.m.51 views

CVE-2024-23899

Jenkins Git server Plugin 99.va0826abcdfad and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenki...

6.8AI score0.01262EPSS
Exploits0References2
Veracode
Veracode
added 2023/12/15 6:32 a.m.30 views

Cleartext Storage Of Sensitive Information

oic-auth is vulnerable to Cleartext Storage of Sensitive Information. The vulnerability is due to a password of a local user account stored in plain text. This password is used as an anti-lockout feature. An attacker with access to jenkins controller file system can recover this password and like...

6.7CVSS6.9AI score0.00286EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2023/12/13 6:31 p.m.41 views

GHSA-C2F6-RF2R-6J6F Tokens stored in plain text by PaaSLane Estimate Plugin

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

4.3CVSS5AI score0.00339EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/12/13 6:31 p.m.32 views

Tokens stored in plain text by Dingding JSON Pusher Plugin

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

4.3CVSS6.9AI score0.00347EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2023/12/13 6:31 p.m.43 views

Password stored in a recoverable format by Jenkins OpenId Connect Authentication Plugin

Jenkins OpenId Connect Authentication Plugin stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator...

6.7CVSS6.7AI score0.00286EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2023/12/13 6:15 p.m.31 views

CVE-2023-50776

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

4.3CVSS0.00339EPSS
Exploits0References2
NVD
NVD
added 2023/12/13 6:15 p.m.29 views

CVE-2023-50770

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining...

6.7CVSS0.00286EPSS
Exploits0References2
NVD
NVD
added 2023/12/13 6:15 p.m.35 views

CVE-2023-50772

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

4.3CVSS0.00347EPSS
Exploits0References2
OSV
OSV
added 2023/12/13 6:15 p.m.25 views

CVE-2023-50772

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

4.3CVSS4.6AI score
Exploits0References2
Rows per page
Query Builder