Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-8mmh-h4jh-2g34: Path Traversal in Jenkins visualexpert Plugin

Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

ghsa
#git
GHSA-x9q4-qwfh-9gjq: Session fixation vulnerability in Jenkins Bitbucket OAuth Plugin

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

GHSA-h8p8-6378-649p: XML external entity reference vulnerability on agents in Jenkins Semantic Versioning Plugin

Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

GHSA-pcc2-w6m8-x5w4: Agent-to-controller security bypass in Jenkins Semantic Versioning Plugin

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

GHSA-87rh-wc85-xqvc: Missing permission checks in Jenkins Orka Plugin allow enumerating credentials IDs

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

GHSA-9jwh-qvg7-gr59: CSRF vulnerability in Jenkins Orka Plugin allow capturing credentials

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-r3gm-jwf4-xgv2: Cross-site request forgery vulnerability in Jenkins JIRA Pipeline Steps Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-4x65-4fjx-r7m6: Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

GHSA-g29v-5pwh-wxx4: Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

GHSA-95jq-24cr-pgrq: Cross-site request forgery in Jenkins Gerrit Trigger Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit.