Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-25193: Jenkins Security Advisory 2022-02-15

Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE
Open in Source
#xss#csrf#vulnerability#web#git#ssrf#auth#ssh
CVE-2022-25202: Jenkins Security Advisory 2022-02-15

Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of custom promotion levels, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

CVE-2022-25190: Jenkins Security Advisory 2022-02-15

A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-25175: Jenkins Security Advisory 2022-02-15

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

CVE-2022-25195: Jenkins Security Advisory 2022-02-15

A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

CVE-2022-25191: Jenkins Security Advisory 2022-02-15

Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-25184: Jenkins Security Advisory 2022-02-15

Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.

CVE-2022-25203: Jenkins Security Advisory 2022-02-15

Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Read permission.

CVE-2022-25185: Jenkins Security Advisory 2022-02-15

Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-25187: Jenkins Security Advisory 2022-02-15

Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle.