org.jenkins-ci.plugins:cloudbees-deployer-plugin (=6.0) potentially affected by CVE-2022-36890 via org.jenkins-ci.plugins:deployer-framework (=1.0)

org.jenkins-ci.plugins:deployer-framework MAVEN version =1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:deployer-framework and may be impacted: - org.jenkins-ci.plugins:cloudbees-deployer-plugin =6.0 Source cves:...

Jenkins Enterprise and Operations Center 2.303.x < 2.303.30.0.14 / 2.332.4.1 / 2.346.1.4 Multiple Vulnerabilities (CloudBees Security Advisory 2022-06-22)

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.14, or 2.x prior to 2.332.4.1 or 2.346.1.4. It is, therefore, affected by multiple vulnerabilities, including the following: - Jenkins Pipeline: Input Step Plugin...

Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP...

GHSA-7RX6-4VWV-432G Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP...

GHSA-JWR9-H4JM-C9CH Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs

CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins if any of the following plugins are installed: - Amazon...

Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs

CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins if any of the following plugins are installed: - Amazon...

GHSA-C445-XM3F-HMFH Incorrect permission check in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its...

Incorrect permission check in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its...

org.jenkins-ci.plugins:cloudbees-deployer-plugin (=6.0) potentially affected by CVE-2020-2227 via org.jenkins-ci.plugins:deployer-framework (=1.0)

org.jenkins-ci.plugins:deployer-framework MAVEN version =1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:deployer-framework and may be impacted: - org.jenkins-ci.plugins:cloudbees-deployer-plugin =6.0 Source cves: CVE-2020-22...

Missing permission checks in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not requir...

GHSA-H72V-652W-XV64 Missing permission checks in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not requir...

GHSA-FC92-8R77-9297 CSRF vulnerability in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not requir...

CSRF vulnerability in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not requir...

Jenkins ElectricFlow Plugin Missing permission checks

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers...

Jenkins ElectricFlow Plugin missing permission check

A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST...

GHSA-66R6-RVV9-9X6M Jenkins ElectricFlow Plugin missing permission check

A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST...

GHSA-M8F2-9282-X38V Jenkins ElectricFlow Plugin Missing permission checks

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers...

Jenkins ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment fo...

GHSA-W3PJ-V9JR-V2WC Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability

The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. CloudBees ...

GHSA-XMQV-PFW7-QMJ7 Jenkins ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application. CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment fo...