GitHub

[org.jenkins-ci.plugins:rocketchatnotifier] CSRF vulnerability in Jenkins RocketChat Notifier Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential.
References

https://nvd.nist.gov/vuln/detail/CVE-20…

[org.jenkins-ci.plugins:JiraTestResultReporter] Missing permission check in Jenkins JiraTestResultReporter Plugin

A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
References

https://nvd.nist.g…

[org.jvnet.hudson.plugins:instant-messaging] Plaintext storage in Jenkins instant-messaging Plugin

Posted inLOW
Posted byGitHub
03/30/202211/30/2022

Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access…

[io.jenkins.plugins:atlassian-bitbucket-server-integration] Missing permission checks in Jekins Bitbucket Server Integration Plugin

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.
References

https://nvd….

[org.jenkins-ci.plugins:ci-with-toad-edge] Cross-site Scripting (XSS) vulnerability in Jenkins Continuous Integration with Toad Edge Plugin

Posted inHIGH
Posted byGitHub
03/30/202211/30/2022

Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or o…

[poetry] Poetry before v1.1.9 contains Untrusted Search Path

Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the appli…

[paramiko] Race Condition in Paramiko

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-24302
https://github.com/paramiko/par…

[SinGooCMS.Utility] Deserialization of Untrusted Data in SinGooCMS.Utility

This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restri…

[org.jenkins-ci.plugins:release-helper] CSRF vulnerability in Jenkins Release Helper Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-27…

[org.jenkins-ci.plugins:dbCharts] Passwords stored in plain text by Jenkins dbCharts Plugin

Posted inLOW
Posted byGitHub
03/16/202212/01/2022

Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file hudson.plugins.dbcharts.DbChartPublisher.xml on the Jenkins controller as part of its configuration.
These passwords can be viewed b…

トピトピニュース

Featured

[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[bitlyshortener] Package discontinued because Bitly lowered the free quota

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability