Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-wwww-xvm2-62w7: Jenkins Delphix Plugin vulnerable to exposure of system-scoped credentials

Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to.

Delphix Plugin 3.0.3 defines the appropriate context for credentials lookup.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-40345

Jenkins Delphix Plugin vulnerable to exposure of system-scoped credentials

Moderate severity GitHub Reviewed Published Aug 16, 2023 to the GitHub Advisory Database • Updated Aug 16, 2023

Package

maven org.jenkins-ci.plugins:delphix (Maven)

Affected versions

< 3.0.3

Published to the GitHub Advisory Database

Aug 16, 2023

Last updated

Aug 16, 2023

Related news

CVE-2023-4302: Jenkins Security Advisory 2023-08-16

A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-4303: Jenkins Security Advisory 2023-08-16

Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability.

CVE-2023-40345: Jenkins Security Advisory 2023-08-16

Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.

CVE-2023-40351: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar.

CVE-2023-40350: Jenkins Security Advisory 2023-08-16

Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

CVE-2023-40349: Jenkins Security Advisory 2023-08-16

Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.

CVE-2023-40347: Jenkins Security Advisory 2023-08-16

Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

CVE-2023-40346: Jenkins Security Advisory 2023-08-16

Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

CVE-2023-40338: Jenkins Security Advisory 2023-08-16

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.

CVE-2023-40344: Jenkins Security Advisory 2023-08-16

A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2023-40343: Jenkins Security Advisory 2023-08-16

Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

CVE-2023-40342: Jenkins Security Advisory 2023-08-16

Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

CVE-2023-40341: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

CVE-2023-40340: Jenkins Security Advisory 2023-08-16

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

CVE-2023-40339: Jenkins Security Advisory 2023-08-16

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

CVE-2023-40337: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.

CVE-2023-40336: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.