PT-2022-14121 · Kubevirt +1 · Kubevirt +1

Name of the Vulnerable Software and Affected Versions: KubeVirt versions up to 0.56 KubeVirt version 0.55.1 Description: A path traversal vulnerability in KubeVirt allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are...

Information Disclosure

github.com/runatlantis/atlantis is vulnerable to information disclosure. The vulnerability exists in the ParseAndValidate function in gitlabrequestparservalidator.go because the webhook event is not properly validated with a constant time comparison which allows an attacker to recover the secret...

Atlantis Events vulnerable to Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

GHSA-JXQV-JCVH-7GR4 Atlantis Events vulnerable to Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

CVE-2022-24912

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

CVE-2022-24912

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

Code injection

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

CVE-2022-24912 Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

CVE-2022-24912

The vulnerability is in github.com/runatlantis/atlantis/server/controllers/events (pre-0.19.7) where webhook secret validation uses a non-constant-time comparison, enabling timing attacks to recover the secret and forge webhook events. This aligns with CVE-2022-24912 and related advisories. Impac...

CVE-2022-24912

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

PT-2022-16979 · Atlantis · Atlantis

Name of the Vulnerable Software and Affected Versions: github.com/runatlantis/atlantis/server/controllers/events versions prior to 0.19.7 Description: The issue is related to a timing attack in the webhook event validator code, which does not use a constant-time comparison function to validate th...

Atlantis 安全漏洞

Atlantis is Atlantis open source a self-hosted golang application . It listens to Terraform pull request events via webhook. A security vulnerability exists in Atlantis versions prior to 0.19.7, which stems from a Timing Attack vulnerability in the package...

com.base2services.jenkins:github-sqs-plugin (>=1.0 <=1.5), com.elasticbox.jenkins-ci.plugins:elasticbox (>=4.0.9 <=4.1.6) +24 more potentially affected by CVE-2022-36885 via com.coravy.hudson.plugins.github:github (>=1.10 <=1.3)

com.coravy.hudson.plugins.github:github MAVEN version =1.10, =1.0, =4.0.9, =1.0-alpha-1, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-4, =1.0-alpha-1, =1.3.0, =1.0, =0.9.14, =1.36.0, =1.42.2 and more Source cves: CVE-2022-36885 Source advisory:...

GHSA-449W-C77C-VMF6 Lack of authentication mechanism in Jenkins Git Plugin webhook

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Gi...

GHSA-MXCC-7H5M-X57R Jenkins GitHub plugin uses weak webhook signature function

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. GitHub Plugin 1.34.5 uses a constant-time comparis...

Lack of authentication mechanism in Jenkins Git Plugin webhook

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Gi...

Lack of authentication mechanism in Jenkins Git Plugin webhook

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Gi...

Lack of authentication mechanism in Jenkins Git Plugin webhook

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Gi...

Jenkins GitHub plugin uses weak webhook signature function

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. GitHub Plugin 1.34.5 uses a constant-time comparis...

GHSA-V878-67XW-GRW2 Lack of authentication mechanism in Jenkins Git Plugin webhook

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Gi...