CVE-2023-46657
https://notcve.org/view.php?id=CVE-2023-46657
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. El complemento Jenkins Gogs 1.0.15 y versiones anteriores utiliza una función de comparación de tiempo no constante al verificar si el token de webhook proporcionado y el esperado son iguales, lo que potencialmente permite a los atacantes usar métodos estadísticos para obtener un token de webhook válido. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2896 • CWE-697: Incorrect Comparison •
CVE-2023-40349
https://notcve.org/view.php?id=CVE-2023-40349
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2894 • CWE-665: Improper Initialization •
CVE-2023-40348
https://notcve.org/view.php?id=CVE-2023-40348
The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2894 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-2024 – OS Command Injection in gogs/gogs
https://notcve.org/view.php?id=CVE-2022-2024
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. • https://github.com/gogs/gogs/commit/15d0d6a94be0098a8227b6b95bdf2daed105ec41 https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-32174 – Gogs - XSS
https://notcve.org/view.php?id=CVE-2022-32174
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover. En Gogs, las versiones v0.6.5 hasta v0.12.10, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) Almacenado que conlleva una toma de control de la cuenta • https://github.com/gogs/gogs/blob/v0.12.10/public/js/gogs.js#L263 https://www.mend.io/vulnerability-database/CVE-2022-32174 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •