Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2022-4886: CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed · Issue #10570 · kubernetes/ingress-nginx

Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.

CVE
Open in Source
#vulnerability#web#git#kubernetes#nginx
As Citrix Urges Its Clients to Patch, Researchers Release an Exploit

In the race over Citrix's latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide.

GHSA-66hv-fhcm-7xm7: Jenkins Warnings Plugin exposures system-scoped credentials

Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.

GHSA-8859-v9jp-cphf: Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

GHSA-9ggw-h9mf-4jh7: Jenkins CloudBees CD Plugin vulnerable to arbitrary file read

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the `CloudBees CD - Publish Artifact` post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.

GHSA-2xpq-5952-38w3: Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

GHSA-jx7x-rf3f-j644: Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

GHSA-jwx3-2hq3-682c: Jenkins Edgewall Trac Plugin vulnerable to Stored XSS

Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

GHSA-86j9-25m2-9w97: Non-constant time webhook token hash comparison in Jenkins Zanata Plugin

Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

GHSA-885r-hhpr-cc9p: Jenkins Gogs Plugin uses non-constant time webhook token comparison

Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.