CVE-2019-16548

CVE-2019-16548 concerns the Jenkins Google Compute Engine Plugin (up to v4.1.1). The vulnerability is a CSRF flaw in ComputeEngineCloud#doProvision that could be abused to provision new agents without proper authorization. Impact is exposure of administrative actions (agent provisioning) via CSRF...

CVE-2019-16546

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks...

CVE-2019-16547

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment...

CVE-2019-16546

CVE-2019-16546 affects Jenkins Google Compute Engine Plugin 4.1.1 and earlier. The root cause is that the plugin does not verify SSH host keys when connecting agents, which enables a man-in-the-middle (MITM) scenario. Public-facing references in the connected documents confirm this behavior and d...

CVE-2019-16547

CVE-2019-16547 affects the Jenkins Google Compute Engine Plugin (versions up to 4.1.1). The issue is missing permission checks on several API endpoints, allowing users with Overall/Read to obtain limited information about the plugin configuration and environment. In practice, the impact is inform...

CVE-2019-16547

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment...

PT-2019-14701 · Jenkins · Jenkins Google Compute Engine Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier Description: The issue allows man-in-the-middle attacks due to the lack of SSH host key verification when connecting agents created by the plugin. This enables potential attacker...

PT-2019-14703 · Jenkins · Jenkins Google Compute Engine Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier Description: A cross-site request forgery issue exists in the ComputeEngineClouddoProvision function, which could be used to provision new agents. The Google Compute Engine Plugi...

PT-2019-14702 · Jenkins · Jenkins Google Compute Engine Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier Description: The issue is related to missing permission checks in various API endpoints, allowing attackers with Overall/Read permission to obtain limited information about the...

Wallarm Node — now as a Google Cloud image

Today we’re excited to announce native availability of Wallarm Node image for Google Cloud Platform GCP. Many Wallarm customers and prospects use Google Cloud for its high-performance, scalable infrastructure with excellent price/performance. The ability to customize machine types to customer...

Google releases Cloud-based Web App Vulnerability Scanner and Assessment Tool

Google on Thursday unleashed its own free web application vulnerability scanner tool, which the search engine giant calls Google Cloud Security Scanner, that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively. SCANNER ADDRESSE...

Google Compute Engine Lateral Compromise

A user who creates a GCE VM with compute-rw privileges, who subsequently has that single VM compromised, can lead to a global compromise of all VMs inside of the account. VMs created in the web UI, by default, come with compute-rw privileges. Google’s account manager fetches ssh keys from the...