CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40341 – jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials
https://notcve.org/view.php?id=CVE-2023-40341
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. A flaw was found in the blueocean Jenkins plugin. Affected versions of this plugin allow attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3116 https://access.redhat.com/security/cve/CVE-2023-40341 https://bugzilla.redhat.com/show_bug.cgi?id=2232422 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30954 – plugin: missing permission checks in Blue Ocean Plugin
https://notcve.org/view.php?id=CVE-2022-30954
Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. El plugin Jenkins Blue Ocean versiones 1.25.3 y anteriores, no lleva a cabo una comprobación de permisos en varios endpoints HTTP, permitiendo a atacantes con permiso Overall/Read conectarse a un servidor HTTP especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502 https://access.redhat.com/security/cve/CVE-2022-30954 https://bugzilla.redhat.com/show_bug.cgi?id=2119647 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30953 – plugin: CSRF vulnerability in Blue Ocean Plugin
https://notcve.org/view.php?id=CVE-2022-30953
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Jenkins Blue Ocean versiones 1.25.3 y anteriores, permite a atacantes conectarse a un servidor HTTP especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502 https://access.redhat.com/security/cve/CVE-2022-30953 https://bugzilla.redhat.com/show_bug.cgi?id=2119646 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30952 – plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin
https://notcve.org/view.php?id=CVE-2022-30952
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. La API SCM de Jenkins Pipeline para el plugin Blue Ocean versiones 1.25.3 y anteriores, permite a atacantes con permiso de Job/Configure acceder a credenciales con IDs especificados por el atacante almacenados en los almacenes privados de credenciales por usuario de cualquier usuario especificado por el atacante en Jenkins • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714 https://access.redhat.com/security/cve/CVE-2022-30952 https://bugzilla.redhat.com/show_bug.cgi?id=2119645 • CWE-522: Insufficiently Protected Credentials CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2255 – jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests.
https://notcve.org/view.php?id=CVE-2020-2255
A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. Una falta de comprobación de permisos en Jenkins Blue Ocean Plugin versiones 1.23.2 y anteriores, permite a atacantes con permiso Overall/Read conectarse a una URL especificada por el atacante • http://www.openwall.com/lists/oss-security/2020/09/16/3 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961 https://access.redhat.com/security/cve/CVE-2020-2255 https://bugzilla.redhat.com/show_bug.cgi?id=1880460 • CWE-862: Missing Authorization •