Design/Logic Flaw

Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system...

CVE-2019-10296

CVE-2019-10296 affects the Jenkins Serena SRA Deploy Plugin. The vulnerability arises from credentials being stored unencrypted in the plugin’s global configuration on the Jenkins master, specifically in the UrbanDeployPublisher.xml file, which can be read by anyone with access to the Jenkins con...

CVE-2019-10296

Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system...

PT-2019-11698 · Jenkins · Jenkins Serena Sra Deploy Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Serena SRA Deploy Plugin affected versions not specified Description: The issue concerns the storage of credentials in an unencrypted manner within the global configuration file on the Jenkins master or controller. Specifically, the...

Security Bulletin: An Authenticated Agent Can Modify Another Agent's Properties (CVE-2018-1995)

Summary Old versions of UrbanCode Deploy web agents can allow unauthorized property modification of other agents. Vulnerability Details CVEID: CVE-2018-1995 Details: An authenticated agent can modify another agent's properties using a specially crafted request. Consequences: Agent properties can ...

Authentication Bypass

Apache Geronimo is vulnerable to authentication bypass. This is caused by improper exception handling for failed logins, which would allow a remote attacker to bypass authentication requirements and deploy arbitrary modules and gain administrative access by submitting a blank username and passwor...

CVE-2019-8944

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 and before 2018.10.4 LTS allows remote authenticated users to view sensitive Terraform output variables via log files...

Information disclosure

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 and before 2018.10.4 LTS allows remote authenticated users to view sensitive Terraform output variables via log files...

CVE-2019-8944

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 and before 2018.10.4 LTS allows remote authenticated users to view sensitive Terraform output variables via log files...

CVE-2019-8944

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 and before 2018.10.4 LTS allows remote authenticated users to view sensitive Terraform output variables via log files...

CVE-2019-8944

The CVE-2019-8944 entry concerns Octopus Deploy’s Terraform deployment step prior to 2019.1.8 (and before 2018.10.4 LTS), where remote authenticated users can view sensitive Terraform output variables via log files. The affected component is the Terraform deployment step; root cause is informatio...

Security Bulletin: Publicly Disclosed Vulnerability Found By vFinder (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536)

Summary Previous releases of IBM UrbanCode Deploy are affected by multiple vulnerabilities in Eclipse Jetty Vulnerability Details CVEID: CVE-2017-7658 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sendin...

Security Bulletin: Multiple Vulnerabilities in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2018-11784)

Summary Previous releases of IBM UrbanCode Deploy are affected by multiple vulnerabilities in Apache Tomcat. Vulnerability Details CVEID: CVE-2018-11784 DESCRIPTION: Apache Tomcat could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the default...

CVE-2018-11788

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

CVE-2018-11788

Apache Karaf contains an XXE vulnerability in its XMLInputFactory used by the features deployer. The XMLInputFactory does not implement mitigation against external entities, enabling potential XML External Entity Injection in Karaf versions prior to 4.1.7 and prior to 4.2.2. First fixed in Karaf ...

CVE-2018-15797

Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry...

Default credentials

Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry...

CVE-2018-15797

Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry...

CVE-2018-15797 NFS Volume release errand leaks cf admin credentials in logs

Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry...

CVE-2018-15797

The CVE affects Cloud Foundry NFS volume release versions 1.2.x before 1.2.5, 1.5.x before 1.5.4, and 1.7.x before 1.7.3. A remote authenticated user with access to BOSH can obtain the CF admin username and password from logs produced by the nfsbrokerpush deploy errand, exposing admin credentials...