89 matches found
CVE-2023-30527
Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system...
CVE-2023-30528
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it...
CVE-2023-24428
A cross-site request forgery CSRF vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account...
CVE-2019-10460
Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system...
CVE-2025-47889
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
GHSA-P89H-P4PH-4VJ6 Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
CVE-2025-47889
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
CVE-2025-47889
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
CVE-2025-47889
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
CVE-2025-47889
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist...
CVE-2025-47889
CVE-2025-47889 affects Jenkins WSO2 Oauth Plugin 1.0 and earlier. The root cause is that authentication claims are accepted without validation by the WSO2 Oauth security realm, enabling unauthenticated logins with any username/password (including non-existent usernames). This can grant accessed c...
Jenkins plugin WSO2 Oauth 安全漏洞
Jenkins and Jenkins plugin are both Jenkins open source products.Jenkins is an application software. An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project.Jenkins plugin is an application software plugin. A security...
Jenkins plugins Multiple Vulnerabilities (2025-05-14)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Critical In WSO2 Oauth Plugin 1.0 and earlier authentication claims are accepted without validation by the WSO2 Oauth security realm. This...
PT-2025-21242 · Jenkins · Jenkins Wso2 Oauth Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins WSO2 Oauth Plugin versions 1.0 and earlier Description: The issue allows unauthenticated attackers to log in to controllers using the "WSO2 Oauth" security realm with any username and any password, including usernames that do not exis...
CVE-2025-23046 GLPI vulnerable to unauthorized authentication by email using the OAuthIMAP plugin
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth...
VulnCheck KEV: CVE-2017-9506
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery SSRF...
The vulnerability of the Jenkins WSO2 Oauth Plugin relates to incorrect session expiration times, allowing attackers to gain unauthorized access to protected information.
The vulnerability of the Jenkins WSO2 Oauth Plugin is related to an incorrect session expiration time. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to protected information...
PT-2023-24583 · Liferay · Plugin For Oauth 2.0 +2
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.41 through 7.4.3.52 Liferay DXP 7.4 update 41 through 52 Description: The issue concerns multiple cross-site scripting XSS vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect...
CVE-2023-33006
A cross-site request forgery CSRF vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account...