Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-wcjj-qm5v-j4pc: Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

ghsa
#git#ldap#auth

Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords

Moderate severity GitHub Reviewed Published Nov 16, 2022 • Updated Nov 21, 2022

Related news

CVE-2022-45380: Jenkins Security Advisory 2022-11-15

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-45382: Jenkins Security Advisory 2022-11-15

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

CVE-2022-45391: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

CVE-2022-45385: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CVE-2022-45400: Jenkins Security Advisory 2022-11-15

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45401: Jenkins Security Advisory 2022-11-15

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-45395: Jenkins Security Advisory 2022-11-15

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45387: Jenkins Security Advisory 2022-11-15

Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.

CVE-2022-45389: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45391: security - Multiple vulnerabilities in Jenkins plugins

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.