82 matches found
GHSA-264W-XRR7-6QQG RCE vulnerability in Jenkins OpenShift Pipeline Plugin
OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step. OpenShift...
RCE vulnerability in Jenkins OpenShift Pipeline Plugin
OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step. OpenShift...
Jenkins Build Pipeline Plugin vulnerable to Cross-site Scripting
Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...
GHSA-CX5R-P4VJ-2MQH Jenkins Build Pipeline Plugin vulnerable to Cross-site Scripting
Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security...
Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management SCM to effectively change the Pipeline...
Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. Version 1.0.8 of the plugin converts the value to a boolean true/false...
GHSA-G364-C7W5-93WH Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. Version 1.0.8 of the plugin converts the value to a boolean true/false...
ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +2157 more potentially affected by CVE-2010-3700 via org.acegisecurity:acegi-security (>=1.0.0 <=1.0.7)
org.acegisecurity:acegi-security MAVEN version =1.0.0, =1.1, =0.0.1, =1.0, =1.0, =0.0.1, =0.1.1, =0.1.0, =1.0, =1.17.3 and more Source cves: CVE-2010-3700 Source advisory: OSV:GHSA-3295-H9QX-R82X...
Asset Pipeline plugin for Grails vulnerable to Path Traversal
An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An attacker can perform directory traversal via a crafted request when a servlet-based application is executed in Jetty, because there is a classloader vulnerability that can allow a reverse file traversal route in...
Incorrect permission checks in Pipeline: Nodes and Processes plugin
On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline node blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes...
org.jenkins-ci.plugins.workflow:workflow-aggregator (>=2.0 <=2.2), org.jenkins-ci.plugins:token-macro (=2.2) +1 more potentially affected by CVE-2022-25184 via org.jenkins-ci.plugins:pipeline-build-step (>=2.0 <=2.1)
org.jenkins-ci.plugins:pipeline-build-step MAVEN version =2.0, =2.0, =1.0.0, =1.0.8 Source cves: CVE-2022-25184 Source advisory: OSV:GHSA-G84F-CMC8-682C...
PT-2020-15481 · Jenkins · Jenkins Pipeline Maven Integration Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline Maven Integration Plugin versions 3.9.2 and earlier Description: The issue results in a stored cross-site scripting XSS vulnerability. This occurs because the upstream job's display name shown as part of a build cause is not...
CloudBees Jenkins Pipeline Maven Integration Plugin Unauthorized Access Vulnerability
CloudBees Jenkins Hudson Labs is the United States CloudBees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed execution of the task . An unauthorized access...
CVE-2020-2214
Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...
CVE-2020-2214
Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...
Design/Logic Flaw
Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...
CVE-2020-2214
Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download...
PT-2020-15429 · Jenkins · Jenkins +1
Name of the Vulnerable Software and Affected Versions: Jenkins ZAP Pipeline Plugin versions 1.9 and earlier Jenkins versions prior to 2.228 excluding 2.227 and older, 2.204.5 and older, due to different security concerns Jenkins versions 2.228 through 2.230 Jenkins 2.222.x LTS versions Jenkins...
The vulnerability of the YAML syntax analyzer plugin for working with the OpenShift Jenkins OpenShift Pipeline plugin allows a attacker to execute arbitrary code.
The vulnerability of the YAML syntax analyzer for the OpenShift Jenkins OpenShift Pipeline Plugin is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...
openshift/jenkins-plugin: Deserialization in snakeyaml YAML() objects allows for remote code execution
Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability...