Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rchx-rvh2-vx5j: Credential leakage in Jenkins Plug-in for ServiceNow

A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.

ghsa
#vulnerability#git

Credential leakage in Jenkins Plug-in for ServiceNow

Moderate severity GitHub Reviewed Published Jul 26, 2023 to the GitHub Advisory Database • Updated Jul 26, 2023

Related news

CVE-2023-3414: Knowledge Article View - Now Support Portal

A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.

CVE-2023-39156: Jenkins Security Advisory 2023-07-26

A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.

CVE-2023-39154: Jenkins Security Advisory 2023-07-26

Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-39155: Jenkins Security Advisory 2023-07-26

Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

CVE-2023-39151: Jenkins Security Advisory 2023-07-26

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

CVE-2023-39152: Jenkins Security Advisory 2023-07-26

Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.

CVE-2023-39153: Jenkins Security Advisory 2023-07-26

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.