iPhone 13で、AppleはiPhoneのノッチを小さくしました。存在感はありますが、より小さ…
[org.jenkins-ci.plugins:credentials] Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether …
[org.jenkins-ci.plugins:active-directory] User passwords transmitted in plain text by Jenkins Active Directory Plugin
Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-23105
https://www.jenki…
[org.jenkins-ci.plugins:publish-over-ssh] Stored XSS vulnerability in Jenkins Publish Over SSH Plugin
Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
References
https://nvd.nist.gov/vuln/deta…
[com.datapipe.jenkins.plugins:hashicorp-vault-plugin] Improper credentials masking in Jenkins HashiCorp Vault Plugin
Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2310…
[org.jenkins-ci.plugins:batch-task] CSRF vulnerability in Jenkins batch task Plugin
Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-23115
https:…
[org.jenkins-ci.plugins:publish-over-ssh] Password stored in plain text by Jenkins Publish Over SSH Plugin
Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References
https://nvd.nist.gov/…
[org.jenkins-ci.plugins:publish-over-ssh] Path traversal vulnerability in Jenkins Publish Over SSH Plugin
Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the J…
[org.jenkins-ci.plugins:publish-over-ssh] CSRF vulnerability and missing permission checks in Jenkins Publish Over SSH Plugin
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
References
https://nvd.nist.gov/vuln/detail/CVE…
[org.conjur.jenkins:conjur-credentials] Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retrieving all credentials
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.
References
https://nvd.nist.gov/vuln/detail/…