MODERATE

[org.jenkins-ci.plugins:batch-task] CSRF vulnerability in Jenkins batch task Plugin

Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-23115
https:…

[org.conjur.jenkins:conjur-credentials] Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retrieving all credentials

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.
References

https://nvd.nist.gov/vuln/detail/…

[org.jenkins-ci.plugins:publish-over-ssh] CSRF vulnerability and missing permission checks in Jenkins Publish Over SSH Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
References

https://nvd.nist.gov/vuln/detail/CVE…

[org.jenkins-ci.plugins:publish-over-ssh] Path traversal vulnerability in Jenkins Publish Over SSH Plugin

Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the J…

[org.conjur.jenkins:conjur-credentials] Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows decrypting secrets

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2…

[nemo-toolkit] Path Traversal in nemo-toolkit

NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available.
References

https://github.com/NVIDIA/NeMo/security/advisories/GHSA-rpx7-33j2-xx9x
h…

[org.apache.logging.log4j:log4j-core] Improper Input Validation and Injection in Apache Log4j2

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JD…

[dolibarr/dolibarr] Cross site scripting in dolibarr

admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-22293
https://github.com/mustgundogdu/Research/blob/main/Dolibar_7.0.2-StoredXSS/REA…

[OPCFoundation.NetStandard.Opc.Ua.Core] Improper Certificate Validation in OPCFoundation.NetStandard.Opc.Ua.Core

A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 allows attackers to establish a connection using invalid certificates.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-29457
https://github.com/OPCFoundation/UA-.NETSta…

[Tremor] Memory Safety Issue when using patch or merge on state and assign the result back to state

Impact
This vulnerability is a memory safety Issue when using patch or merge on state and assign the result back to state.
In this case affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed al…

トピトピニュース

Featured

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files

[com.h2database:h2] Password exposure in H2 Database