A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capt…
[tech.andrey.jenkins:mission-control-view] Cross site scripting in Jenkins Mission Control Plugin
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
References
https://nvd.nist.gov/vu…
[com.redgate.plugins.redgatesqlci:redgate-sql-ci] Jenkins Redgate SQL Change Automation Plugin has Insufficiently Protected Credentials
Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
References…
[com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer] Missing permission check in Jenkins Build Failure Analyzer Plugin
A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.
References
https://nvd.nist.gov/vuln/detail/C…
[com.inflectra.spiratest.plugins:inflectra-spira-integration] Improper Certificate Validation in Jenkins Spira Importer Plugin
Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-16558
https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580
http://www.op…
[katello] Katello cleartext password storage issue
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credent…
[ansible] Ansible password prompts could expose passwords
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to …
[pyarrow] Missing Initialization of Resource in Apache Arrow
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized m…
[org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline] Incorrect Authorization in Puppet Enterprise Pipeline Jenkins Plugin
Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
References
https://nvd.nist.gov/vuln/…
[com.elasticbox.jenkins-ci.plugins:elasticbox] Cleartext Storage of Sensitive Information in Jenkins ElasticBox CI Plugin
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
References
https://nvd.nist.gov/vuln/detail/CVE-2019…