Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-87rh-wc85-xqvc: Missing permission checks in Jenkins Orka Plugin allow enumerating credentials IDs

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

ghsa
Open in Source
#mac#git
GHSA-9jwh-qvg7-gr59: CSRF vulnerability in Jenkins Orka Plugin allow capturing credentials

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-r3gm-jwf4-xgv2: Cross-site request forgery vulnerability in Jenkins JIRA Pipeline Steps Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-4x65-4fjx-r7m6: Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

GHSA-g29v-5pwh-wxx4: Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

GHSA-95jq-24cr-pgrq: Cross-site request forgery in Jenkins Gerrit Trigger Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit.

GHSA-w4v5-54p8-m4j5: Missing permission checks in Jenkins GitHub Pull Request Builder Plugin

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-mj62-m63x-mh84: Open redirect vulnerability in Jenkins OpenID Plugin

Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

GHSA-f976-24hc-mjvr: Session fixation vulnerability in Jenkins OpenID Plugin

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

GHSA-g5mj-c26g-vmpm: XML Entity Expansion in Jenkins TestComplete support Plugin

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.