Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mrf6-4gw6-65v3: Jenkins extreme-feedback Plugin vulnerable to Missing Authorization

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

ghsa
#mac#git#auth

Jenkins extreme-feedback Plugin vulnerable to Missing Authorization

Moderate severity GitHub Reviewed Published Sep 22, 2022 • Updated Sep 23, 2022

Related news

CVE-2022-41241: Jenkins Security Advisory 2022-09-21

Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-41227: Jenkins Security Advisory 2022-09-21

A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials.

CVE-2022-41236: Jenkins Security Advisory 2022-09-21

A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on attacker-specified report generation options.

CVE-2022-41245: Jenkins Security Advisory 2022-09-21

A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-41250: Jenkins Security Advisory 2022-09-21

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-41244: Jenkins Security Advisory 2022-09-21

Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

CVE-2022-41225: Jenkins Security Advisory 2022-09-21

Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

CVE-2022-41238: Jenkins Security Advisory 2022-09-21

A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

CVE-2022-41243: Jenkins Security Advisory 2022-09-21

Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

CVE-2022-41226: Jenkins Security Advisory 2022-09-21

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

ghsa: Latest News

GHSA-49cc-xrjf-9qf7: SFTPGo allows administrators to restrict command execution from the EventManager