Lucene search
+L

155 matches found

Github Security Blog
Github Security Blog
added 2022/05/24 5:27 p.m.37 views

Stored XSS vulnerability in Jenkins Git Parameter Plugin

Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. Git Parameter Plugin 0.9.13 escapes the repository field o...

5.4CVSS4.9AI score0.00753EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/24 5:23 p.m.32 views

Stored XSS vulnerability in multiple axis builds tooltips in Jenkins Matrix Project Plugin

Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Matrix Project Plugin 1.17 escapes the axi...

5.4CVSS5.7AI score0.01041EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/24 5:19 p.m.30 views

Stored XSS vulnerability in Jenkins ECharts API Plugin

ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Job/Configure permission. ECharts API Plugin 4.7.0-4 escapes the parser identifier...

5.4CVSS5AI score0.00735EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/24 5:8 p.m.23 views

Jenkins Git Parameter Plugin vulnerable to stored cross-site scripting (XSS)

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission...

5.4CVSS5.1AI score0.00735EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/05/24 5:7 p.m.27 views

GHSA-F5WX-W2F9-82GH XXE vulnerability in Jenkins WebSphere Deployer Plugin

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin...

7.6CVSS7.5AI score0.00904EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2022/05/24 5:1 p.m.26 views

Jenkins Google Compute Engine Plugin Missing Authorization vulnerability

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. Google Compute Engine Plugin 4.2.0 requires the appropriate...

4.3CVSS3.3AI score0.00691EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2022/05/24 4:50 p.m.9 views

GHSA-QR42-82QJ-MW65 Improper Limitation of a Pathname to a Restricted Directory in Jenkins

A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary fil...

6.5CVSS6.8AI score0.10225EPSS
Exploits1References9
OSV
OSV
added 2022/05/24 4:47 p.m.45 views

GHSA-M8F2-9282-X38V Jenkins ElectricFlow Plugin Missing permission checks

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers...

4.3CVSS4.3AI score0.01353EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2022/05/17 3:15 p.m.5 views

CVE-2022-30952

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins...

6.5CVSS6.6AI score0.00922EPSS
Exploits0References3
OSV
OSV
added 2022/05/17 3:53 a.m.5 views

GHSA-64MC-2M9P-23C8 Jenkins allows remote authenticated users to bypass intended restrictions and create or destroy arbitrary jobs

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors...

6CVSS7.3AI score0.01384EPSS
Exploits0References6
OSV
OSV
added 2022/05/14 3:44 a.m.9 views

GHSA-R57F-7XW3-Q2R9 Improper Authentication in Jenkins

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to...

8.8CVSS5.9AI score0.01214EPSS
Exploits1References5
OSV
OSV
added 2022/05/14 1:4 a.m.19 views

GHSA-3PR8-RF62-G893 Path Traversal in Jenkins

A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an...

6.5CVSS6AI score0.04021EPSS
Exploits0References5
OSV
OSV
added 2022/05/14 1:4 a.m.2 views

GHSA-9JCV-V4JP-W3CQ Cross-site Scripting in Jenkins Core

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's...

5.4CVSS6AI score0.00884EPSS
Exploits0References3
OSV
OSV
added 2022/05/13 1:48 a.m.3 views

GHSA-GQHM-4H93-RRHG Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permissio...

8.8CVSS7.2AI score0.01639EPSS
Exploits0References7
OSV
OSV
added 2022/05/13 1:48 a.m.27 views

GHSA-P4P5-3V2J-W5RV Improper Privilege Management in Jenkins

A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy...

8.8CVSS7.1AI score0.01639EPSS
Exploits0References5
OSV
OSV
added 2022/05/13 1:36 a.m.26 views

GHSA-R5C7-QCC9-5V7M Jenkins Pipeline Classpath Step plugin allowed Script Security sandbox bypass

It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins...

8.5CVSS8.6AI score0.01145EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/05/13 1:15 a.m.37 views

Script security sandbox bypass in Matrix Project Plugin

A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM...

9.9CVSS5.3AI score0.03394EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2022/05/13 1:15 a.m.63 views

GHSA-QWM8-VGM6-F86P Script security sandbox bypass in Jenkins Email Extension Plugin

A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java,...

9.9CVSS9.8AI score0.02439EPSS
Exploits0References4
OSV
OSV
added 2022/05/13 1:1 a.m.3 views

GHSA-PGXV-H967-FW2Q Improper Neutralization of Input During Web Page Generation in Jenkins

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other us...

5.4CVSS7.1AI score0.00894EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2022/04/12 12:0 a.m.4 views

PT-2022-19389 · Jenkins · Jenkins Promoted Builds Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins promoted builds Plugin versions 873.v6149db d64130 and earlier, except version 3.10.1 Description: The issue allows attackers with Job/Configure permission to create a promotion with an unsafe name, as the names of promotions defined ...

5.4CVSS4.9AI score0.00784EPSS
Exploits0References8
Rows per page
Query Builder