35 matches found
Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.
...
GHSA-J7PG-863G-22P6 Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin
Mercurial Plugin provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET...
CVE-2022-43410
Jenkins Mercurial Plugin 1251.vab121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access...
CVE-2022-43410
CVE-2022-43410 concerns the Jenkins Mercurial Plugin (1251.va_b_121f184902 and earlier) where the webhook endpoint /mercurial/notifyCommit can reveal which jobs were triggered or scheduled for polling, including those the viewer lacks permission to access. This constitutes information disclosure ...
CVE-2022-43410
Jenkins Mercurial Plugin 1251.vab121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access...
CVE-2022-43410
Jenkins Mercurial Plugin 1251.vab121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access...
Jenkins plugins Multiple Vulnerabilities (2022-05-17)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Jenkins Pipeline: Groovy Plugin 2689.v434009a31bf1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenki...
GHSA-X58R-WXC3-7PQR XXE vulnerability in Jenkins Mercurial Plugin
Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction...
Missing Authorization in Jenkins Mercurial Plugin
Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission...
XXE vulnerability in Jenkins Mercurial Plugin
Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction...
Jenkins Mercurial Plugin信息泄露漏洞
Jenkins and Jenkins Plugin are both open source Jenkins products. Jenkins is an application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is an application.An information disclosure vulnerability...
GHSA-5786-3QJG-MR88 Path traversal in Jenkins Mercurial Plugin
SCMs support a number of different URL schemes, including local file system paths e.g. using file: URLs. Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unles...
CVE-2022-30948
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents...
CVE-2022-30948
CVE-2022-30948 affects Jenkins Mercurial Plugin 2.16 and earlier. It allows pipelines to check out SCM repositories stored on the Jenkins controller’s file system via local-path SCM URLs, yielding limited information about other projects’ SCM contents. The issue is confirmed in multiple sources (...
CVE-2022-30948
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents...
CVE-2022-30948
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents...
Jenkins Mercurial Plugin 信息泄露漏洞
Jenkins and Jenkins Plugin are both open source Jenkins products. Jenkins is an application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is an application.An information disclosure vulnerability...
GHSA-F9CX-789C-W2MR Incorrect Authorization in Jenkins Mercurial Plugin
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users...
Incorrect Authorization in Jenkins Mercurial Plugin
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users...
CVE-2020-2305
A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity XXE attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of...