16 matches found
Improper Ownership Management
Overview Affected versions of this package are vulnerable to Improper Ownership Management due to improper context setting during Vault credentials lookup. An attacker can access and potentially capture sensitive Vault credentials by leveraging Item/Configure permissions. Remediation There is no...
CVE-2022-29037
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...
CVE-2020-2108
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions...
RabbitMQ 访问控制错误漏洞
RabbitMQ is a feature-rich multi-protocol messaging and streaming agent open-sourced by RabbitMQ. An access control error vulnerability exists in RabbitMQ that stems from not validating a user's configure permissions when deleting a queue via the HTTP API. A user with valid credentials, partial...
Incorrect Authorization
Jenkins is vulnerable to Incorrect Authorization. The vulnerability is due to incomplete enforcement of item creation checks, where prohibited items are created in memory and can be saved to persist them, bypassing restrictions when attackers have Item/Configure permissions...
jenkins-2-plugins: Improper input sanitization in HTML Publisher Plugin
A flaw was found in jenkins-2-plugins. In the HTML Publisher Plugin 1.16 through 1.32, fallback for reports created in HTML Publisher Plugin 1.15 and earlier does not properly sanitize input. This can allow attackers with Item/Configure permissions to implement stored cross-site scripting XSS...
GHSA-F5WX-W2F9-82GH XXE vulnerability in Jenkins WebSphere Deployer Plugin
WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin...
Jenkins Jira Plugin Incorrect Authorization vulnerability
An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Jenkins Cloud Foundry Plugin vulnerable to exposure of sensitive information
\Jenkins Cloud Foundry Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
workflow-cps-global-lib: OS command execution through crafted SCM contents
A flaw was found in Jenkins. The JenkinsPipeline: Shared Groovy Libraries uses the same checkout directories for distinct SCMs for Pipeline libraries. This flaw allows attackers with item/configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. This...
CVE-2022-27196
Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure or Item/Create permissions...
CVE-2022-20615
A stored Cross-site scripting XSS vulnerability was found in the Jenkins Matrix Project plugin. There are no escape HTML metacharacters in node, label names, and label descriptions, which allows an attacker with Agent/Configure permissions to perform an XSS attack...
jenkins: Path traversal vulnerability in agent names
A flaw was found in jenkins. Users with Agent/Configure permissions can choose agent names that cause an override to the global config.xml file. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
jenkins: Path traversal vulnerability in agent names
A flaw was found in jenkins. Users with Agent/Configure permissions can choose agent names that cause an override to the global config.xml file. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
CVE-2020-2108
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions...
jenkins: Stored XSS vulnerability in expandable textbox form control
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents typically Job/Configure...