43 matches found
EUVD-2022-2708
Malicious code in bioql PyPI...
EUVD-2022-2814
Malicious code in bioql PyPI...
EUVD-2023-2579
Malicious code in bioql PyPI...
Jenkins temporary uploaded file created with insecure permissions
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly...
CVE-2023-43497
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controll...
CVE-2023-43497
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controll...
Design/Logic Flaw
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controll...
CVE-2023-43497
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controll...
CVE-2023-43497
CVE-2023-43497 affects Jenkins 2.423 and earlier, and LTS 2.414.1 and earlier. The root cause is in processing file uploads via the Stapler web framework, which creates temporary files in the system temporary directory with default permissions. This could let an attacker with access to the Jenkin...
SUSE CVE-2019-10354
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information...
Jenkins plugins Multiple Vulnerabilities (2022-06-22)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Multiple cross-site scripting XSS vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and...
Unauthorized view fragment access in Jenkins
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access ...
Cross-Site Request Forgery in Jenkins
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlie...
Improper Limitation of a Pathname to a Restricted Directory in Jenkins
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java,...
Improper Input Validation in Jenkins
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins...
Request logging bypass in Jenkins Audit Trail Plugin
Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlie...
CVE-2020-2287
Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL...
CVE-2020-2287
Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL...
CVE-2018-1000861
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not...
jenkins: Unauthorized view fragment access (SECURITY-534)
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information...