EUVD-2024-0383

Malicious code in bioql PyPI...

CVE-2024-31139

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector...

CVE-2022-28146

Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps...

GHSA-XFX3-CR74-X3CV Exposure of secrets through system log in Jenkins Structs Plugin

Structs Plugin provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution. When Structs Plugin 337.v1b04ea4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may...

An information disclosure flaw was found in Buildah when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

...

CVE-2024-31139

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector...

CVE-2024-31139

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector...

CVE-2024-31139

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector...

CVE-2024-31139

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector...

JetBrains TeamCity 安全漏洞

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides continuous unit testing, code quality analysis, and build issue analysis reports. A security vulnerability exists in JetBrains TeamCity versions prior t...

Race Condition

buildkit is vulnerable to a Race Condition. The vulnerability is caused when two malicious build steps are ran in parallel, sharing the same cache mounts with subpaths. This issue can be exploited by an attacker to access files on the host filesystem...

CVE-2023-28677

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted...

Improper masking of some secrets in Jenkins Credentials Binding Plugin

Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is...

RCE vulnerability in Jenkins Pipeline: AWS Steps Plugin

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps. Pipeline: AW...

GHSA-W598-25HM-JQX3 RCE vulnerability in Jenkins Pipeline: AWS Steps Plugin

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps. Pipeline: AW...

PT-2022-18854 · Jenkins · Jenkins Pipeline: Phoenix Autotest Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier Description: The issue is related to the Phoenix AutoTest Plugin not configuring its XML parser to prevent XML external entity XXE attacks. This allows attackers who can contr...

jenkins-credentials-binding-plugin: information disclosure in build log when build contains no build steps

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask i.e., replace with asterisks secrets in the build log when the build contains no build steps...

jenkins-credentials-binding-plugin: information disclosure in build log when build contains no build steps

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask i.e., replace with asterisks secrets in the build log when the build contains no build steps...

jenkins-credentials-binding-plugin: information disclosure in build log when build contains no build steps

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask i.e., replace with asterisks secrets in the build log when the build contains no build steps...

PT-2020-15394 · Jenkins · Jenkins Credentials Binding Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Credentials Binding Plugin versions 1.22 and earlier Description: The issue concerns the Jenkins Credentials Binding Plugin, where secrets are not masked in the build log when the build contains no build steps. This affects the securi...