Jenkins before versions before 2.44 are vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenki…
[org.apache.struts:struts2-core] Server side object manipulation in Apache Struts
OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the ‘#’-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context obj…
[bootstrap] Bootstrap vulnerable to Cross-Site Scripting (XSS)
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-14040
https://github.com/twbs/bootstrap/issues/26423
https://github.com/twbs/bootstrap/issues/26625
https://github.c…
[org.apache.deltaspike.modules:jsf-module-project] Cross-site Scripting in Apache DeltaSpike
The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get’s cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspi…
[org.springframework:spring-core] Spring Framework Inefficient Regular Expression Complexity
Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server …
[org.apache.santuario:xmlsec] Apache XML Security For Java vulnerable to authentication bypass by HMAC truncation
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in multiple products.
The Apache XML Security (Java) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/i…
[nokogiri] Nokogiri is vulnerable to XML External Entity (XXE) attack
Nokogiri before 1.5.4 is vulnerable to XXE attacks.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-6685
https://github.com/sparklemotion/nokogiri/issues/693
https://bugzilla.redhat.com/show_bug.cgi?id=1178970
https://nokogiri.org/CHANGELOG.html#…
[org.jenkins-ci.plugins:proxmox] SSL/TLS certificate validation globally disabled by Jenkins Proxmox Plugin
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-28142
https://www.jenkins.io/securi…
[org.jenkins-ci.plugins:ci-with-toad-edge] Arbitrary file read vulnerability in Jenkins Continuous Integration with Toad Edge Plugin
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build s…
[org.jenkins-ci.plugins:rocketchatnotifier] Missing permission check in Jenkins RocketChat Notifier Plugin
RocketChat Notifier Plugin 1.4.10 and earlier does not perform a permission check in a method implementing form validation.This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and …