A Cron expression form validation could enter infinite loop, potentially resulting in denial of service. The form validation for cron expressions (e.g. “Poll SCM”, “Build periodically”) could enter infinite loops when cron expressions only matching cer…
[org.apache.guacamole:guacamole-common] Missing Encryption of Sensitive Data in Apache Guacamole
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HT…
[org.apache.jmeter:ApacheJMeter] Missing certificate validation in Apache JMeter
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-1297
…
[org.apache.jmeter:ApacheJMeter] Missing certificate validation in Apache JMeter
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. This only affect those running in Dist…
[org.grails.plugins:asset-pipeline] Asset Pipeline Grails Plugin vulnerable to Path Traversal
Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This att…
[io.jenkins:configuration-as-code] Jenkins Configuration as Code Plugin has Insufficiently Protected Credentials
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to…
[com.amazonaws:aws-codepipeline] Jenkins AWS CodePipeline Plugin has Insufficiently Protected Credentials
Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local …
[com.amazonaws:aws-codebuild] Insufficiently Protected Credentials in Jenkins AWS CodeBuild Plugin
Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitab…
[com.synopsys.jenkinsci:ownership] Improper authorization in Jenkins Job and Node Ownership Plugin
An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in
OwnershipDescription.java,
JobOwnerJobProperty.java,
and OwnerNodeProperty.java
that allow an attacker with Job/Configure or Computer/Con…
[org.apache.geode:geode-core] Apache Geode vulnerable to Exposure of Sensitive Information
When an Apache Geode cluster before v1.2.1 is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. These metadata operations could leak information about application data types. In add…