Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-64c5-r2h5-c2fg: Jenkins docker-build-step Plugin Cross-Site Request Forgery vulnerability

A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.

ghsa
Open in Source
#csrf#vulnerability#git#java#docker#maven
GHSA-pfh3-j79r-vqrj: Jenkins Delphix Plugin has improper SSL/TLS certificate validation

In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation.

GHSA-8h2m-54wh-gwj3: Jenkins docker-build-step Plugin missing permission check

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.

GHSA-mr9j-qqjh-67f2: Jenkins Subversion Partial Release Manager Plugin missing permission check

A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build.

GHSA-8vcg-v7g4-3vr7: Jenkins HTML Publisher Plugin does not properly sanitize input

Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.

GHSA-m4rm-x2rr-357w: Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

GHSA-9pp4-mx6x-xh36: Jenkins OWASP Dependency-Check Plugin has stored XSS vulnerability

Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.

GHSA-5j5r-6mv9-m255: Jenkins Build Monitor View Plugin vulnerable to stored Cross-site Scripting

Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.

GHSA-rv35-69ff-g9gv: Jenkins Subversion Partial Release Manager Plugin vulnerable to Cross-Site Request Forgery

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build.

GHSA-8fm4-r23p-v68v: Jenkins MQ Notifier Plugin exposes sensitive information in build logs

Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.