Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode.
References
https://nvd.nist.gov/vuln/…
Jenkins Active Directory Plugin prior to 2.20 does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.
References
https:…
Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2299
https://www.jenkins.io/security/advisory/2020-11-04/#SECURIT…
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a “one-shot” decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 Gi…
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being …
secure-store in Expo through 9.1.0 on iOS provides the insecure kSecAttrAccessibleAlwaysThisDeviceOnly policy when WHEN_UNLOCKED_THIS_DEVICE_ONLY is used.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-24653
https://github.com/expo/expo/pull/926…
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka ASP.NET Core Denial of Service Vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-1597
https://lists.fedoraproject.org/archives/list/packa…
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via ‘Trigger builds remotely’, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure per…
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2229
https://jenkins.io/security…
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
References
https://nvd.nist…
