Jenkins extreme-feedback Plugin vulnerable to Missing Authorization

Jenkins extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. As of publicati...

CSRF vulnerability in Jenkins Security Inspector plugin

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized...

Missing permission check in Jenkins build-publisher Plugin

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to tho...

GHSA-52V4-WXRX-GJJM Jenkins Apprenda Plugin has Missing Authorization vulnerability

Jenkins Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

CVE-2022-44010

A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted HTTP request to the HTTP Endpoint listening on port 8123 by default, causing a heap-based buffer overflow that crashes the ClickHouse server process. This attack does not require...

CVE-2022-41230

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to tho...

CVE-2022-41230

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to tho...

Code injection

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to tho...

CVE-2022-41230

CVE-2022-41230 affects Jenkins Build-Publisher Plugin 1.22 and earlier. The root cause is a missing permission check in an HTTP endpoint, enabling attackers with Overall/Read permission to enumerate sensitive data: names and URLs of Jenkins servers configured for publishing, plus builds pending f...

GHSA-X7W4-VFRH-FC3H Jenkins Coverity Plugin allows attackers with Overall/Read permission to enumerate credentials IDs

Jenkins Coverity Plugin 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

GHSA-99MQ-HW5M-GWJJ Missing permission check in Coverity Plugin allows capturing credentials

Coverity Plugin 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

GHSA-9XHM-6W5P-335V Jenkins Google Cloud Backup Plugin allows attackers with Overall/Read permission to request a manual backup.

Jenkins Google Cloud Backup Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to request a manual backup. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSR...

GHSA-M485-79JQ-CXX7 CSRF vulnerability in Jenkins Google Cloud Backup Plugin

A cross-site request forgery CSRF vulnerability in Jenkins Google Cloud Backup Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability...

CSRF vulnerability in Jenkins Google Cloud Backup Plugin

A cross-site request forgery CSRF vulnerability in Jenkins Google Cloud Backup Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability...

Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to read deployment logs. Deployer Framework Plugin 86.v7ba4a55bf3ec requires Deploy Now/Deploy permission to read deployment logs...

Design/Logic Flaw

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached...

GHSA-2348-CCQJ-8P27 Jenkins RQM Plugin allows enumerating credentials IDs due to missing permission check

Jenkins RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerabili...

GHSA-QM37-C4W6-H9V9 Missing Authorization in Jenkins XPath Configuration Viewer Plugin

XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data...

Missing Authorization in Jenkins XPath Configuration Viewer Plugin

XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data...

Jenkins RQM Plugin allows enumerating credentials IDs due to missing permission check

Jenkins RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerabili...