29 matches found
GHSA-8MPM-Q7MH-8FVH Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)
Summary The Capgo CLI writes sensitive local files .capgo API key file and build credentials JSON using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when...
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)
Summary The Capgo CLI writes sensitive local files .capgo API key file and build credentials JSON using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when...
CVE-2024-52517
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
Nextcloud Information Disclosure Vulnerability (CNVD-2025-11221)
Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. Nextcloud suffers from an information disclosure vulnerability that stems from the fact that after storing "global credentials" on the server, the API returns...
CVE-2024-52517
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
Nextcloud 信息泄露漏洞
Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. Nextcloud suffers from an information disclosure vulnerability that stems from the fact that after storing "global credentials" on the server, the API returns...
PT-2024-9159 · Nextcloud +2 · Nextcloud Enterprise Server +3
Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 28.0.11 Nextcloud Server versions prior to 29.0.8 Nextcloud Server versions prior to 30.0.1 Nextcloud Enterprise Server versions prior to 25.0.13.13 Nextcloud Enterprise Server versions prior to 26.0.13.9...
CVE-2024-39459
A vulnerability was found in the Jenkins Plain Credentials Plugin, which stores secret file credentials unencrypted only Base64 encoded on the Jenkins controller file system. Users with access to the Jenkins controller file system global credentials or with Item/Extended Read permission...
CVE-2024-39459
In rare cases Jenkins Plain Credentials Plugin 182.v468b97b9dcb8 and earlier stores secret file credentials unencrypted only Base64 encoded on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system global credentials or with...
CVE-2024-39459
In Jenkins, the Plain Credentials Plugin (versions 182.v468b_97b_9dcb_8 and earlier) can store secret file credentials unencrypted (Base64 only) on the Jenkins controller filesystem. This allows users with access to the controller filesystem or with Item/Extended Read permissions to view those cr...
Jenkins Plugin Plain Credentials Security Vulnerability
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is an application software ... A security vulnerabili...
Nextcloud: Admins can change authentication details of user configured external storage
A vulnerability was found where admins could change authentication details of user configured external storage. This allowed malicious admins to modify global credentials for other admin and user external storage...
PT-2021-14676 · Jenkins · Jenkins Owasp Dependency-Track Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins OWASP Dependency-Track Plugin versions 3.1.0 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. The issue arises...
CVE-2018-2634
The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application...
Information Disclosure
Oracle Java SE is vulnerable to information disclosure attacks. This is because the JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. A local attacker could possibly use thi...
OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600)
The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application...
OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600)
The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application...