Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-j7xv-fc46-hgpg: Jenkins BigPanda Notifier Plugin stores BigPanda API key unencrypted

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

ghsa
Open in Source
#git
GHSA-7jwg-hq85-c6m6: Jenkins SmallTest Plugin improperly validates hostname

Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

GHSA-g43x-pcc9-f472: Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Version 1.0.15 contains a patch.

GHSA-mrf6-4gw6-65v3: Jenkins extreme-feedback Plugin vulnerable to Missing Authorization

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

GHSA-jjch-7g85-4m72: Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-Site Request Forgery

A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials. Version 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

GHSA-fq2h-r2h9-pj8r: Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-site Scripting

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

GHSA-qgv4-7jhx-c72q: Jenkins Rundeck Plugin Missing Authorization vulnerability

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

GHSA-j8xr-2279-88qj: Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference

Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

GHSA-j2mj-g8jp-gjfm: Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials. Version 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

GHSA-f7fq-wp2x-jc25: Jenkins WildFly Deployer Plugin vulnerable to path traversal

Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.