22 matches found
EUVD-2022-2192
Malicious code in bioql PyPI...
CVE-2020-2285
A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
CVE-2018-1000146
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM...
SUSE CVE-2018-1000146
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM...
Missing permission check in Jenkins Liquibase Runner Plugin allows enumerating credentials IDs
Liquibase Runner Plugin 1.4.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
GHSA-XX7G-F287-F9FQ XXE vulnerability in Jenkins Liquibase Runner Plugin
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of...
Stored XSS vulnerability in Jenkins Liquibase Runner Plugin
Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. Liquibase Runner Plugin 1.4.7 no...
XXE vulnerability in Jenkins Liquibase Runner Plugin
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of...
GHSA-3HVC-XWJP-XR8M Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM...
CVE-2020-2285
A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
CVE-2020-2283
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting XSS vulnerability exploitable by users able to control changeset files evaluated by the plugin...
Information disclosure
A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
CVE-2020-2284
Jenkins Liquibase Runner Plugin versions ≤ 1.4.5 are affected by an XXE vulnerability caused by an XML parser not configured to prevent external entities. This could allow an attacker to supply crafted Liquibase changesets that are parsed by Jenkins to exfiltrate secrets or enable SSRF. The issue...
CVE-2020-2285
The CVE concerns Jenkins Liquibase Runner Plugin (versions ≤ 1.4.7). A missing permission check in the plugin’s HTTP endpoint allows attackers with Overall/Read permission to enumerate credentials IDs stored in Jenkins. This credential enumeration is the primary impact described, and attackers co...
CVE-2020-2283
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting XSS vulnerability exploitable by users able to control changeset files evaluated by the plugin...
CVE-2020-2283
The CVE-2020-2283 entry concerns Jenkins Liquibase Runner Plugin versions 1.4.5 and earlier, where changeset contents are not escaped when shown on the build page, enabling stored XSS. Exploitation requires an attacker able to provide Liquibase changesets evaluated by the plugin. Public advisorie...
PT-2020-15515 · Jenkins · Jenkins Liquibase Runner Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Liquibase Runner Plugin versions 1.4.7 and earlier Description: A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can be done...
Remote code execution
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM...
CVE-2018-1000146
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM...
CVE-2018-1000146
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM...