363 matches found
CVE-2019-1003072
Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...
CVE-2019-1003080
Summary: CVE-2019-1003080 is a cross-site request forgery in the Jenkins OpenShift Deployer Plugin. The issue resides in DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation, permitting an attacker to cause the plugin to connect to an attacker‑specified server. Public source...
CVE-2019-1003081
The CVE describes a missing permission check in the Jenkins OpenShift Deployer Plugin, specifically in DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation. Attackers with Overall/Read permission can trigger a connection to an attacker‑specified server, enabling potential un...
CVE-2019-1003056
Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...
CVE-2019-1003072
Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...
CVE-2019-0191
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This...
PT-2019-11371 · Jenkins · Jenkins Openshift Deployer Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins OpenShift Deployer Plugin affected versions not specified Description: A missing permission check in the DeployApplication.DeployApplicationDescriptordoCheckLogin form validation method allows attackers with Overall/Read permission to...
PT-2019-11370 · Jenkins · Jenkins Openshift Deployer Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins OpenShift Deployer Plugin affected versions not specified Description: A cross-site request forgery issue exists in the DeployApplication.DeployApplicationDescriptordoCheckLogin form validation method, allowing attackers to initiate a...
PT-2019-11346 · Jenkins · Jenkins Websphere Deployer Plugin
Name of the Vulnerable Software and Affected Versions: Jenkins WebSphere Deployer Plugin affected versions not specified Description: The issue concerns the storage of credentials in an unencrypted manner within job config.xml files on the Jenkins master or controller. These credentials can be...
CVE-2019-0191
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This...
CVE-2019-0191
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This...
CVE-2019-0191
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This...
CVE-2019-0191
Summary: CVE-2019-0191 affects Apache Karaf kar deployer. The ZIP-slip vulnerability arises because the kar deployer reads .kar archives and extracts entries from repository/ and resources/ without validating paths, allowing a malicious .kar to contain directory traversal (..), which can cause th...
XML External Entity Reference in Apache Karaf
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
GHSA-92WJ-X78C-M4FX XML External Entity Reference in Apache Karaf
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
Design/Logic Flaw
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
CVE-2018-11788
Apache Karaf contains an XXE vulnerability in its XMLInputFactory used by the features deployer. The XMLInputFactory does not implement mitigation against external entities, enabling potential XML External Entity Injection in Karaf versions prior to 4.1.7 and prior to 4.2.2. First fixed in Karaf ...
CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...