Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication …
[com.yahoo.athenz:athenz] Athenz vulnerable to Open Redirect
Open redirect vulnerability in Athenz v1.8.24 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-6035
https://git…
[io.alauda.jenkins.plugins:alauda-kubernetes-support] Improper Authorization in Jenkins Alauda Kubernetes Suport Plugin
A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capt…
[io.alauda.jenkins.plugins:alauda-kubernetes-support] Cross-Site Request Forgery in Jenkins Alauda Kubernetes Suport Plugin
A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kub…
[tech.andrey.jenkins:mission-control-view] Cross site scripting in Jenkins Mission Control Plugin
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
References
https://nvd.nist.gov/vu…
[com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer] Missing permission check in Jenkins Build Failure Analyzer Plugin
A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.
References
https://nvd.nist.gov/vuln/detail/C…
[com.redgate.plugins.redgatesqlci:redgate-sql-ci] Jenkins Redgate SQL Change Automation Plugin has Insufficiently Protected Credentials
Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
References…
[com.inflectra.spiratest.plugins:inflectra-spira-integration] Improper Certificate Validation in Jenkins Spira Importer Plugin
Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-16558
https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580
http://www.op…
[katello] Katello cleartext password storage issue
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credent…
[ansible] Ansible password prompts could expose passwords
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to …