Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)

Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities i...

SSRF vulnerability in Jenkins Bitbucket Push and Pull Request Plugin allows capturing credentials

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

GHSA-VRPG-C7C4-8MPX SSRF vulnerability in Jenkins Bitbucket Push and Pull Request Plugin allows capturing credentials

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

CVE-2023-41937

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

CVE-2023-41937

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

Design/Logic Flaw

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

CVE-2023-41937

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

CVE-2023-41937

CVE-2023-41937 affects the Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0–2.8.3 (inclusive). The vulnerability arises because the plugin trusts values in the webhook payload (including certain URLs) and uses configured Bitbucket credentials to connect to those URLs, enabling an att...

CVE-2023-41937

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by...

Jenkins Plugin Bitbucket Push and Pull Request Code Issue Vulnerability

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...

Introducing Free Wordfence Intelligence WordPress Vulnerability Webhook Notifications!

We’re incredibly excited to announce that we have launched a webhook integration for vulnerabilities as part of Wordfence Intelligence, which enables users to stay on top of the latest vulnerabilities being added to the Wordfence Intelligence WordPress Vulnerability database, all completely for...

Improper Input Validation

github.com/woodpecker-ci/woodpecker is vulnerable to Improper Input Validation. The vulnerability occurs because the library does not properly validate webhook data, which could be used to take over the repository...

CVE-2023-40034

Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a for...

Code injection

Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a for...

Woodpecker does not validate webhook before changing any data

Impact An attacker can post malformed webhook data which leads to an update of the repository data that can e.g. allow the takeover of a repository. This is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage. Patches Please use either nex...

GHSA-4GCF-5M39-98MC Woodpecker does not validate webhook before changing any data

Impact An attacker can post malformed webhook data which leads to an update of the repository data that can e.g. allow the takeover of a repository. This is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage. Patches Please use either nex...

CVE-2023-40034 Repositoty takeover in woodpecker-ci

Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a for...

CVE-2023-40034

CVE-2023-40034 affects Woodpecker CI (community fork of Drone CI). The vulnerability: attackers can post malformed webhook data to trigger repository data updates, potentially allowing takeover of a repository when the CI is public and connected to a public forge. The issue is addressed in versio...

CVE-2023-40034 Repositoty takeover in woodpecker-ci

Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a for...

Jenkins Gogs Plugin vulnerable to unsafe default behavior and information disclosure

Jenkins Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default. This allows unauthenticated attackers to trigger builds of...