Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-j8xr-2279-88qj: Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference

Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

ghsa
#git
GHSA-qgv4-7jhx-c72q: Jenkins Rundeck Plugin Missing Authorization vulnerability

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

GHSA-f7fq-wp2x-jc25: Jenkins WildFly Deployer Plugin vulnerable to path traversal

Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

GHSA-f546-v666-559x: Craft CMS Cross-site Scripting vulnerability

Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line `label: elementInfo.label`.

GHSA-52v4-wxrx-gjjm: Jenkins Apprenda Plugin has Missing Authorization vulnerability

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

GHSA-q9j5-2mjx-8x28: Jenkins SCM HttpClient Plugin Missing Authorization

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-6cvr-rvpm-9wx4: Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-cpm5-cqr9-7p79: Jenkins BigPanda Notifier Plugin Missing Password Field Masking

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

GHSA-fv7x-v67w-cvqv: Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

GHSA-m748-hjqg-rpp8: rdiffweb has insecure HTTP cookies

In rdiffweb prior to version 2.4.6, the `cookie` session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.