Security
Headlines
HeadlinesLatestCVEs

Tag

#maven

GHSA-xj36-6xc6-8p9x: Jenkins Delphix Plugin has SSL/TLS certificate validation disabled by default

In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default.

ghsa
Open in Source
#vulnerability#git#java#maven#ssl
GHSA-8vcg-v7g4-3vr7: Jenkins HTML Publisher Plugin does not properly sanitize input

Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.

GHSA-m4rm-x2rr-357w: Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

GHSA-9pp4-mx6x-xh36: Jenkins OWASP Dependency-Check Plugin has stored XSS vulnerability

Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.

GHSA-5j5r-6mv9-m255: Jenkins Build Monitor View Plugin vulnerable to stored Cross-site Scripting

Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.

GHSA-rv35-69ff-g9gv: Jenkins Subversion Partial Release Manager Plugin vulnerable to Cross-Site Request Forgery

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build.

GHSA-8fm4-r23p-v68v: Jenkins MQ Notifier Plugin exposes sensitive information in build logs

Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.

GHSA-m757-p8rv-4q93: Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged

In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module.  We recommend users upgrade the version of Linkis to version 1.5.0

GHSA-p2gx-4434-pf6g: Apache InLong Deserialization of Untrusted Data Vulnerability

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673

GHSA-hp2x-6vrm-7j7v: Apache Archiva Reflected Cross-site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.