CVE-2022-4342

CVE-2022-4342 affects GitLab CE/EE versions: 15.1–15.5.6 (up to 15.5.7 noted by some sources), 15.6.x prior to 15.6.4, and 15.7.x prior to 15.7.2. The issue allows a malicious Maintainer to leak masked webhook secrets by changing the webhook target URL. Public sources corroborate the basic descri...

Barzahlen Payment Module PHP SDK 安全漏洞

Barzahlen Payment Module PHP SDK is a Barzahlen PHP library. A security vulnerability exists in Barzahlen Payment Module PHP SDK versions prior to 2.0.1, which stems from a faulty validation of a function in the file src/Webhook.php, which can lead to observable timing differences...

PT-2023-10334 · Viafintech · Viafintech Barzahlen Payment Module Php Sdk

Name of the Vulnerable Software and Affected Versions: viafintech Barzahlen Payment Module PHP SDK versions up to 2.0.0 Description: A vulnerability was found in the viafintech Barzahlen Payment Module PHP SDK, affecting the verify function of the file src/Webhook.php. The manipulation leads to...

The vulnerability of the Webhook Endpoint component of the Jenkins Git Plugin, related to the disclosure of information, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Webhook Endpoint component of the Jenkins Git Plugin relates to the disclosure of information. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

Mask Webhook secret Key

While configuring webhooks in bitbucket, we have the option to provide a secret key that is not masked, and hence the plain text secret key is visible in audit logs, kindly mask the secret key Steps to reproduce Configure webhook in Bitbucket server When the hook is created,modified we see the...

GitLab CE/EE 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A security vulnerability exists in GitLab CE/EE, which stems from the fact tha...

GitLab CE/EE 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery and other features. A security vulnerability exists in GitLab CE/EE, which stems from the leakage o...

FreeBSD : Gitlab -- Multiple Vulnerabilities (3cde510a-7135-11ed-a28b-bff032704f00)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 3cde510a-7135-11ed-a28b-bff032704f00 advisory. - Gitlab reports: DAST API scanner exposes Authorization headers in vulnerabilities Group IP...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: DAST API scanner exposes Authorization headers in vulnerabilities Group IP allow-list not fully respected by the Package Registry Deploy keys and tokens may bypass External Authorization service if it is enabled Repository import still allows to import 40 hexadecimal branches...

Jenkins Generic Webhook Trigger Plugin External Entity Injection (CVE-2021-21669)

An XXE vulnerability exists in Jenkins Generic Webhook Trigger Plugin. The vulnerability is due to insufficient validation of input parameters. Successful exploitation could lead to the disclosure of file contents for any file readable by Jenkins...

W4SP Stealer Constantly Targeting Python Developers in Ongoing Supply Chain Attack

An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date. "The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush said in a technic...

Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin

CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt. In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authenticatio...

GHSA-V535-PC6R-77QH Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin

CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt. In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authenticatio...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via a compromised parse server cloud code webhook target endpoint, resulting in prototype pollution...

Jenkins Plugin XP-Dev 安全漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...

PT-2022-27487 · Cloudbees +1 · Jenkins Cloudbees Docker Hub/Registry Notification Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins CloudBees Docker Hub/Registry Notification Plugin versions 2.6.2 and earlier Description: A missing permission check in the Jenkins CloudBees Docker Hub/Registry Notification Plugin allows unauthenticated attackers to trigger builds o...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 4.10.20 or 5.3.3, which stems from an attacker's ability to prototype contamination via a cloud code web hook...

PT-2022-26111 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.3.3 Parse Server versions prior to 4.10.20 Description: A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

CVE-2022-41879

Parse Server is affected by a prototype pollution vulnerability in Cloud Code Webhook targets. In versions prior to 5.3.3 and 4.10.20, an attacker can exploit a compromised Cloud Code Webhook endpoint to bypass the server’s requestKeywordDenylist, enabling prototype pollution with potentially hig...

Jenkins GitLab Plugin Cross-Site Scripting (CVE-2022-34777)

A stored cross-site scripting vulnerability exists in Jenkins GitLab Plugin. This vulnerability is due to insufficient validation of user provided fields in the build cause of webhook triggered builds...