Lucene search
K

54 matches found

Github Security Blog
Github Security Blog
added 2022/05/24 7:19 p.m.32 views

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary...

8.1CVSS1.4AI score0.01911EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/24 7:19 p.m.27 views

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary...

9.8CVSS0.8AI score0.02034EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/24 7:19 p.m.23 views

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary...

9.1CVSS1.2AI score0.01416EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/24 7:12 p.m.26 views

RCE vulnerability in Jenkins Code Coverage API Plugin

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk. This results in a remote code execution RCE vulnerability exploitable by attackers able to control agent processes. Jenkins Code Coverage API Plugin 1.4....

8.8CVSS9AI score0.02213EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/05/24 7:12 p.m.46 views

GHSA-58PR-HPRX-7HG6 RCE vulnerability in Jenkins Code Coverage API Plugin

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk. This results in a remote code execution RCE vulnerability exploitable by attackers able to control agent processes. Jenkins Code Coverage API Plugin 1.4....

8.8CVSS9.1AI score0.02213EPSS
Exploits0References5
Prion
Prion
added 2022/03/15 5:15 p.m.17 views

Server side request forgery (ssrf)

Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses externa...

4CVSS6.4AI score0.01314EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2022/02/18 6:7 a.m.43 views

Information Disclosure

hashicorp-vault-plugin is vulnerable to information disclosure. Remote unauthenticated attackers are able to gain access to sensitive information by controlling agent processes to obtain Vault secrets via an attacker-specified path and key...

6.5CVSS4.2AI score0.00809EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2022/02/16 12:1 a.m.30 views

GHSA-FM6Q-97GW-C4WH Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key...

3.1CVSS6.6AI score0.00809EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/02/16 12:1 a.m.58 views

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key...

6.5CVSS3.6AI score0.00809EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2022/02/16 12:1 a.m.21 views

GHSA-2587-W93G-63M2 Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin allows reading arbitrary files

Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. Thi...

5.3CVSS6.6AI score0.00809EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2022/02/16 12:1 a.m.27 views

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin allows reading arbitrary files

Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. Thi...

6.5CVSS1.3AI score0.00809EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/02/16 12:1 a.m.13 views

GHSA-64Q9-F38H-9MWX Protection Mechanism Failure in Jenkins Doktor Plugin

Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists...

5.4CVSS5.7AI score0.00591EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2022/02/16 12:0 a.m.35 views

Protection Mechanism Failure in Jenkins Doktor Plugin

Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists...

5.5CVSS3.9AI score0.00591EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2022/02/15 5:15 p.m.24 views

CVE-2022-25204

Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists...

5.5CVSS0.00591EPSS
Exploits0References1
OSV
OSV
added 2022/02/15 5:15 p.m.2 views

CVE-2022-25186

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key...

6.5CVSS5.8AI score
Exploits0References1
Cvelist
Cvelist
added 2022/02/15 4:11 p.m.33 views

CVE-2022-25186

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key...

6.9AI score0.00809EPSS
Exploits0References1
CVE
CVE
added 2022/02/15 4:11 p.m.170 views

CVE-2022-25186

CVE-2022-25186 affects the Jenkins HashiCorp Vault Plugin (3.8.0 and earlier). The vulnerability lets an attacker who can control an agent process retrieve vault secrets for an attacker-specified path and key from the agent side. In practical terms, compromised agents can exfiltrate sensitive Vau...

6.5CVSS6.5AI score0.00809EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2022/02/15 12:0 a.m.3 views

PT-2022-1879 · Hashicorp +1 · Jenkins Hashicorp Vault Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins HashiCorp Vault Plugin versions 336.v182c0fbaaeb7 and earlier Description: The issue allows agent processes to read arbitrary files on the Jenkins controller file system. This can be exploited by attackers who can control agent...

6.8CVSS6.2AI score0.00809EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2022/01/13 12:0 a.m.27 views

Agent-to-controller security bypass in Jenkins Debian Package Builder Plugin

Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller. This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller...

9CVSS8.6AI score0.01603EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2022/01/12 8:15 p.m.3 views

CVE-2022-23117

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller...

7.5CVSS7.1AI score0.01285EPSS
Exploits0References2
Rows per page
Query Builder