Lucene search
K
JenkinsRecent

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/08/07 12:0 a.m.•5 views

Arbitrary file read vulnerability through agent connections can lead to RCE

NOTE: This entry was updated on 2024-08-10 to add a reference to a https://github.com/jenkinsci-cert/SECURITY-3430workaround. Jenkins uses the https://github.com/jenkinsci/remotingRemoting library typically agent.jar or remoting.jar for the communication between controller and agents. This librar...

9CVSS7.9AI score0.28782EPSS
Exploits4Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/08/07 12:0 a.m.•17 views

Missing permission check allows accessing other users' "My Views"

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...

6.3CVSS6.7AI score0.04263EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/06/26 12:0 a.m.•5 views

Exposure of secrets through system log in structs

structs provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution. When structs 337.v1b04ea4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secre...

3.1CVSS5.1AI score0.00439EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/06/26 12:0 a.m.•31 views

Secret file credentials stored unencrypted in rare cases by plain-credentials

When creating secret file credentials plain-credentials 182.v468b97b9dcb8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be...

4.3CVSS5.6AI score0.00419EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/06/26 12:0 a.m.•8 views

Bitbucket OAuth access token exposed in the build log by cloudbees-bitbucket-branch-source

cloudbees-bitbucket-branch-source 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. cloudbees-bitbucket-branch-source 887.vad359b3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL i...

4.3CVSS5AI score0.00489EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/24 12:0 a.m.•7 views

Stored XSS vulnerability in teamconcert-git

teamconcert-git 2.0.4 and earlier does not escape the Rational Team Concert RTC server URI on the build page when showing changes. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. teamconcert-git 2.0.5 escapes the Rational Team Conce...

8CVSS4.9AI score0.00327EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/24 12:0 a.m.•4 views

XXE vulnerabilities in hp-application-automation-tools-plugin

hp-application-automation-tools-plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity XXE attacks. This allows attackers able to control the input files for hp-application-automation-tools-plugin build steps and post-build steps to have Jenkins parse a crafte...

8CVSS5.3AI score0.00442EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/24 12:0 a.m.•5 views

Missing permission checks in hp-application-automation-tools-plugin

hp-application-automation-tools-plugin 24.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations...

4.3CVSS5.2AI score0.0027EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/24 12:0 a.m.•6 views

Path traversal vulnerability in report-info

report-info 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, report-info does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire...

4.3CVSS5.1AI score0.00831EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/02 12:0 a.m.•5 views

Missing permission check in git-server

git-server 114.v068ac7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. git-server 117.veb68868fa027 requires...

6.5CVSS6.4AI score0.00522EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/02 12:0 a.m.•14 views

Multiple sandbox bypass vulnerabilities in script-security

script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...

9.8CVSS7.7AI score0.48081EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/02 12:0 a.m.•11 views

Token stored in plain text by telegram-notifications

telegram-notifications 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...

4.3CVSS6.4AI score0.0052EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/05/02 12:0 a.m.•5 views

Security protection disabled by svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier programmatically sets the Java system property hudson.model.ParametersAction.keepUndefinedParameters whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for SECURITY-170 / CVE-2016-3721. A...

6.8CVSS6.2AI score0.02124EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/04/17 12:0 a.m.•6 views

Terrapin SSH vulnerability in Jenkins CLI client

The CLI client jenkins-cli.jar in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to https://vulners.com/cve/CVE-2023-48795CVE-2023-48795 https://en.wikipedia.org/wiki/TerrapinattackTerrapin attack. This vulnerability allows...

5.9CVSS7AI score0.9378EPSS
Exploits4Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/20 12:0 a.m.•5 views

HTTP/2 denial of service vulnerability in bundled Jetty

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.443 and earlier, LTS...

7.5CVSS6.5AI score0.01433EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•6 views

Improper input sanitization in htmlpublisher

SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in htmlpublisher 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback. In htmlpublisher 1.16 through 1.32 both inclusive this fallback for reports created in htmlpublisher 1.15 and earlier does n...

8CVSS6.7AI score0.00698EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•5 views

Incorrect trust policy behavior for pull requests from forks in cloudbees-bitbucket-branch-source

Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default. In cloudbees-bitbucket-branch-source 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, this trust policy allows...

6.3CVSS6.3AI score0.00556EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•32 views

Stored XSS vulnerability in dependency-check-jenkins-plugin

dependency-check-jenkins-plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control workspace contents or CVE metadata...

8.8CVSS5.4AI score0.00693EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•7 views

Missing permission checks in jenkinsci-appspider-plugin

jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...

4.3CVSS5.2AI score0.0045EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•5 views

SSL/TLS certificate validation disabled by default in Delphix

Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 this option is set to disable SSL/TLS certificate validation by default. In Delphix 3.0.2 this option is set to enable SSL/TLS certifica...

5.3CVSS5.3AI score0.00417EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•5 views

Improper SSL/TLS certificate validation in Delphix

Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 through 3.1.0 both inclusive an option change from disabled validation to enabled validation fails to take effect until Jenkins is...

4.2CVSS5.2AI score0.00337EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•5 views

CSRF vulnerability and missing permission check in docker-build-step

docker-build-step 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided...

8.8CVSS6.8AI score0.00826EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•8 views

CSRF vulnerability and missing permission checks in svn-partial-release-mgr

svn-partial-release-mgr 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...

4.3CVSS5.1AI score0.00495EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•6 views

Terrapin SSH vulnerability in trilead-api

trilead-api bundles the https://github.com/jenkinsci/trilead-ssh2/Jenkins project's fork of the Trilead SSH2 library for use by other plugins. trilead-api 2.133.vfb8a7b9c5dd1 and earlier, except 2.84.86.vf9c960e9b458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to...

5.9CVSS7AI score0.9378EPSS
Exploits4Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•5 views

Stored XSS vulnerability in htmlpublisher

htmlpublisher 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 1.32.1 escapes job names, report...

8CVSS6AI score0.00681EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•4 views

Path traversal vulnerability in htmlpublisher

htmlpublisher 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it...

4.3CVSS5AI score0.00939EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•4 views

Sensitive information exposure in build logs by mq-notifier

mq-notifier has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In mq-notifier 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of...

6.5CVSS6.3AI score0.00679EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•5 views

Stored XSS vulnerability in build-monitor-plugin

build-monitor-plugin 1.14-860.vd06ef2568b3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we...

8CVSS5.3AI score0.80173EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•4 views

Stored XSS vulnerability in gitbucket

gitbucket 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...

8CVSS7.3AI score0.01253EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/03/06 12:0 a.m.•6 views

Stored XSS vulnerability in icescrum

icescrum 1.1.6 and earlier does not sanitize iceScrum project URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...

8.8CVSS7.5AI score0.01129EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•5 views

Arbitrary file read vulnerability in git-server can lead to RCE

git-server uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's...

8.8CVSS7AI score0.01262EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•10 views

Non-constant time webhook token comparison in gitlab-branch-source

gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-branch-source...

5.3CVSS5.6AI score0.005EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•6 views

Stored XSS vulnerability in qualys-pc

qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuratio...

8CVSS5.3AI score0.00458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•55 views

Incorrect permission checks in qualys-pc allow capturing credentials

qualys-pc 1.0.5 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to connect to an attacker-specified URL using attacker-specified credential...

4.2CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•8 views

Arbitrary file read vulnerability through the CLI can lead to RCE

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature...

9.8CVSS8.7AI score0.99999EPSS
Exploits46Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•5 views

Cross-site WebSocket hijacking vulnerability in the CLI

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...

8.8CVSS8AI score0.66921EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•6 views

Path traversal vulnerability in matrix-project

matrix-project 822.v01b8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the config.xml REST API endpoint. This allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file...

4.6CVSS4.9AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•5 views

Shared projects are unconditionally discovered by gitlab-branch-source

GitLab allows sharing a project with another group. gitlab-branch-source 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group. This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins...

6.5CVSS6.3AI score0.00458EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•6 views

CSRF vulnerability in gitlab-branch-source

gitlab-branch-source 684.veafa7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. gitlab-branch-source 688.v5fa356ee8520...

4.3CVSS4.9AI score0.00323EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•5 views

XXE vulnerability in qualys-pc

qualys-pc 1.0.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure jobs to have Jenkins parse a crafted HTTP response with XML data that uses external entities for extraction of secrets from the Jenkins controller or...

7.1CVSS6.6AI score0.00547EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•18 views

Content-Security-Policy protection for user content disabled by redhat-dependency-analytics

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. redhat-dependency-analytics 0.7.1 and earlier globally disables the...

8CVSS5.3AI score0.00564EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/01/24 12:0 a.m.•6 views

Arbitrary file read vulnerability in log-command

log-command uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing commands received via instant messaging platforms such as IRC or Jabber. This command parser has a feature that replaces an @ character followed by...

7.5CVSS7.5AI score0.00875EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•7 views

DoS vulnerability in analysis-model-api

analysis-model-api 11.11.0 and earlier bundles versions of JSON-Java vulnerable to https://vulners.com/cve/CVE-2023-5072CVE-2023-5072. This may allow attackers able to control input to cause a Denial of Service DoS by parsing a crafted JSON document. NOTE: As of publication, Synopsys Rapid Scan...

7.5CVSS6.3AI score0.01449EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•5 views

CSRF vulnerability and missing permission checks in Nexus Platform allow XXE

Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin does not configure its X...

8.8CVSS6.8AI score0.00447EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•6 views

CSRF vulnerability and missing permission checks in Nexus Platform allow capturing credentials

Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...

8.8CVSS6.3AI score0.00485EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•6 views

Password stored in a recoverable format by oic-auth

oic-auth provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins. In oic-auth 2.6 and earlier the password to that account is stored in a recoverable format. This allows attackers with access to the Jenkins...

6.7CVSS6.5AI score0.00286EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•6 views

Tokens stored and displayed in plain text by paaslane-estimate

paaslane-estimate 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionall...

4.3CVSS5.1AI score0.00339EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•4 views

CSRF vulnerability and missing permission checks in paaslane-estimate

paaslane-estimate 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. Additionally, these HTTP endpoints do not require POST requests, resultin...

8.8CVSS6.3AI score0.00479EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•5 views

Arbitrary file deletion vulnerability in scriptler

scriptler 342.v6a89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. scriptler 344.v5addb5f9e685 ensures that the file being deleted is...

8.1CVSS7.8AI score0.00842EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2023/12/13 12:0 a.m.•6 views

Missing permission check in scriptler

scriptler 342.v6a89fd40f466 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID. scriptler 344.v5addb5f9e685 requires the appropriate permission to read the contents of a...

4.3CVSS5AI score0.00454EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464