PT-2024-25717 · Jenkins · Jenkins Git Server Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Git server Plugin versions 114.v068a c7cc2574 and earlier Description: The issue is related to a lack of permission check for read access to a Git repository over SSH. Attackers with a previously configured SSH public key but lacking...

Jenkins plugins Multiple Vulnerabilities (2024-05-02)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - High Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are...

Arbitrary File Read

Jenkins Git server Plugin is vulnerable to Information Disclosure. The vulnerability is caused due to a lack of proper input validation in the Git Server Plugin's command parser feature. This allows an attacker with Overall/Read permission to read content from arbitrary files on the Jenkins...

CVE-2024-23899

A flaw was found in the Git Server Plugin for Jenkins. This issue could allow an attacker to read the first two lines of arbitrary files on the server's file system...

Arbitrary file read vulnerability in Git server Plugin can lead to RCE

Jenkins Git server Plugin uses the args4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents...

GHSA-VPH5-2Q33-7R9H Arbitrary file read vulnerability in Git server Plugin can lead to RCE

Jenkins Git server Plugin uses the args4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents...

CVE-2024-23899

Jenkins Git server Plugin 99.va0826abcdfad and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenki...

CVE-2024-23899

Technical details about CVE-2024-23899 are not publicly available in the connected documents provided. The initial description contains some specifics, but no further technical root cause, affected versions, or fixes are confirmed here. Monitor for updates.

CVE-2024-23899

Jenkins Git server Plugin 99.va0826abcdfad and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenki...

PT-2023-20138 · Nvidia · Nvidia Dgx A100

Name of the Vulnerable Software and Affected Versions: NVIDIA DGX H100 baseboard management controller BMC affected versions not specified Description: The NVIDIA DGX H100 baseboard management controller BMC contains a vulnerability in a web server plugin. An unauthenticated attacker may cause a...

Security Bulletin: NVIDIA DGX H100 - August 2023

NVIDIA has released a firmware security update for the NVIDIA DGX™ H100 system. This update addresses issues that may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. To protect your system, download and install this firmware update...

Stored XSS vulnerability in Jenkins Maven Repository Server Plugin

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control maven project versions in pom.xml...

GHSA-39R8-4962-J7VG Stored XSS vulnerability in Jenkins Maven Repository Server Plugin

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting XSS vulnerability...

CVE-2023-35143

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control maven project versions in pom.xml...

CVE-2023-35144

CVE-2023-35144 affects the Jenkins Maven Repository Server Plugin, versions 1.10 and earlier. The vulnerability arises from improper escaping of project and build display names on the Build Artifacts As Maven Repository page, enabling a stored XSS attack. Impact: attacker-controlled input could e...

CVE-2023-35143

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control maven project versions in pom.xml...

PT-2023-25162 · Jenkins · Jenkins Maven Repository Server Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Maven Repository Server Plugin versions 1.10 and earlier Description: The issue results in a stored cross-site scripting XSS vulnerability. This occurs because the versions of build artifacts on the Build Artifacts As Maven Repository...

GHSA-4697-3G92-GH78 Jenkins Thycotic Secret Server Plugin missing permissions check

Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials usin...

CVE-2023-30518

A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

Information disclosure

A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...