CVE-2022-30308

CVE-2022-30308 affects the Festo Controller CECC-X-M1 family. The http-endpoint cecc-x-web-viewer-request-on (and related endpoints) does not validate port syntax in POST requests, enabling unauthorized execution of system commands with root privileges due to improper access control command injec...

CVE-2022-30309

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection...

GHSA-C4C3-3CGH-VVRH Missing permission check in Jenkins requests-plugin Plugin allows viewing pending requests

Jenkins requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. Jenkins requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pendin...

Missing permission check in Jenkins requests-plugin Plugin allows viewing pending requests

Jenkins requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. Jenkins requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pendin...

GHSA-W3GM-VV58-WR55 Missing permission check in Jenkins requests-plugin Plugin allows sending emails

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. Jenkins requests-plugin Plugin 2.2.8 requires Overall/Administer permission to...

Missing permission check in Jenkins requests-plugin Plugin allows sending emails

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. Jenkins requests-plugin Plugin 2.2.8 requires Overall/Administer permission to...

Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP...

GHSA-7RX6-4VWV-432G Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP...

CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files

Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an...

Missing permission check in Jenkins Team Foundation Server Plugin allows enumerating credentials IDs

Jenkins Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials...

GHSA-W24G-24QG-V4W2 CSRF vulnerability in Jenkins Build With Parameters Plugin

Jenkins Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to build a project with attacker-specified parameters. Build With Parameters Plug...

GHSA-42MM-X828-56C7 CSRF vulnerability in Jenkins Configuration Slicing Plugin

Jenkins Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to apply different slice configurations to attacker-specifi...

GHSA-HX53-635R-VMV8 Missing permission checks in Jenkins Chaos Monkey Plugin

Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint. This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions. Jenkins Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to...

Missing authorization in Jenkins Kubernetes Plugin

Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the...

Missing Authorization in Jenkins Kubernetes Plugin

Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to list global pod template names. Kubernetes Plugin 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 requires Overall/Administer...

GHSA-RR6J-37CV-C7X7 Missing Authorization in Jenkins Kubernetes Plugin

Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to list global pod template names. Kubernetes Plugin 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 requires Overall/Administer...

Missing permission check in Jenkins Active Directory Plugin allows accessing domain health check page

Jenkins Active Directory Plugin 2.19 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the domain health check diagnostic page. Jenkins Active Directory Plugin 2.20 requires Overall/Administer permission to access the...

GHSA-Q6RQ-4WHR-R879 Missing permission check in Jenkins Active Directory Plugin allows accessing domain health check page

Jenkins Active Directory Plugin 2.19 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the domain health check diagnostic page. Jenkins Active Directory Plugin 2.20 requires Overall/Administer permission to access the...

GHSA-44CM-P9Q7-RR3P Missing permission check in Jenkins Liquibase Runner Plugin allows enumerating credentials IDs

Liquibase Runner Plugin 1.4.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

Missing permission check in Jenkins Implied Labels Plugin allows reconfiguring the plugin

Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to configure the plugin. Implied Labels Plugin 0.7 requires Overall/Administer permission to configure the plugin...