PT-2022-22333 · Jenkins · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins requests-plugin Plugin versions 2.2.16 and earlier Description: An incorrect permission check in the Jenkins requests-plugin Plugin allows attackers with Overall/Read permission to view the list of pending requests. This issue is...

CSRF vulnerabilities in Jenkins requests-plugin Plugin

Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or...

Missing permission check in Jenkins requests-plugin Plugin allows viewing pending requests

Jenkins requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. Jenkins requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pendin...

GHSA-C4C3-3CGH-VVRH Missing permission check in Jenkins requests-plugin Plugin allows viewing pending requests

Jenkins requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. Jenkins requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pendin...

GHSA-5FRH-WX6V-8M2R CSRF vulnerabilities in Jenkins requests-plugin Plugin

Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or...

Missing permission check in Jenkins requests-plugin Plugin allows sending emails

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. Jenkins requests-plugin Plugin 2.2.8 requires Overall/Administer permission to...

GHSA-W3GM-VV58-WR55 Missing permission check in Jenkins requests-plugin Plugin allows sending emails

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. Jenkins requests-plugin Plugin 2.2.8 requires Overall/Administer permission to...

Exploit for Authentication Bypass by Spoofing in Apache Apisix

Apache APISIX Remote Code Execution CVE-2022-24112 Exploit...

Apache Apisix Remote Code Execution Vulnerability

Apache Apisix is a cloud-native microservice API gateway service from the Apache Foundation. The software is based on OpenResty and etcd to realize , with dynamic routing and plug-in hot loading , suitable for microservice system under the API management . A remote code execution vulnerability...

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

Default configuration

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

CVE-2022-24112

CVE-2022-24112 affects Apache APISIX. It arises from the batch-requests plugin, where a bug can bypass the Admin API IP restriction, enabling remote code execution. Exploits/PoCs exist for APISIX 2.12.0–2.12.1 demonstrating RCE via admin API path and Lua code injection in routes, with documented ...

PT-2022-2569

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions 2.12.1 Description: The issue concerns an authentication bypass vulnerability in Apache APISIX, where an attacker can exploit the batch-requests plugin to send requests and bypass the IP restriction of the Admin API. Th...

Apache APISIX 安全漏洞

Apache Apisix is a cloud-native microservice API gateway service from the Apache Foundation. The software is based on OpenResty and etcd to realize , with dynamic routing and plug-in hot loading , suitable for microservice system under the API management . A remote code execution vulnerability...

CVE-2021-21675

A cross-site request forgery CSRF vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests...

CVE-2021-21674

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests...

CVE-2021-21676

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address...

CVE-2021-21674

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests...

CVE-2021-21675

A cross-site request forgery CSRF vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests...