Jenkins Script Security Plugin: Missing permission checks allow enumeration of pending and approved classpaths

Jenkins Script Security Plugin versions 1399.ve6a66547f6e1 and earlier do not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. Script Security Plugin 1402.v94c9ce464861 requires...

EUVD-2022-7052

Malicious code in bioql PyPI...

EUVD-2022-2690

Malicious code in bioql PyPI...

EUVD-2022-4221

Malicious code in bioql PyPI...

EUVD-2022-4918

Malicious code in bioql PyPI...

EUVD-2022-7088

Malicious code in bioql PyPI...

EUVD-2022-3365

Malicious code in bioql PyPI...

EUVD-2022-2891

Malicious code in bioql PyPI...

EUVD-2024-1357

Malicious code in bioql PyPI...

EUVD-2022-5137

Malicious code in bioql PyPI...

EUVD-2022-4680

Malicious code in bioql PyPI...

EUVD-2022-6986

Malicious code in bioql PyPI...

CVE-2024-52549

CVE-2024-52549 affects Jenkins Script Security Plugin (1367.vdf2fc45f229c and earlier, with exceptions 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776). The issue is a missing permission check in a form-validation method, allowing attackers with Overall/Read permission to determine wheth...

CVE-2024-34144

CVE-2024-34144 affects Jenkins Script Security Plugin (1335.vf07d9ce377a_e and earlier). The vulnerability arises from crafted constructor bodies in the script sandbox, enabling sandbox bypass and execution of arbitrary code in the Jenkins controller JVM for users with scripting permissions. Conn...

RHCOS 4 : OpenShift Container Platform 4.10.56 (RHSA-2023:1655)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1655 advisory. - kube-apiserver: Aggregated API server can cause clients to be redirected SSRF CVE-2022-3172 - spring-security-oauth2-client:...

plugin: CSRF vulnerability in Script Security Plugin

A cross-site request forgery CSRF vulnerability in Jenkins Script Security Plugin 1158.v7c1b73a69a08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver...

CVE-2023-24422

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a2fb25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the...

Security feature bypass

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a2fb25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the...

CVE-2022-45379

Jenkins Script Security Plugin 1189.vbab7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks...

Security feature bypass

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b0b0aa451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection a...