5 results (0.019 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file. El plugin Jenkins Credentials Binding versiones 1.27 y anteriores, no lleva a cabo una comprobación de permisos en un método que implementa la comprobación de formularios, que permite a atacantes con acceso Overall/Read comprobar si un ID de credencial es referido a una credencial de archivo secreto y si es un archivo zip • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 • CWE-862: Missing Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. Jenkins Credentials Binding Plugin versiones 1.22 y anteriores, no enmascara (es decir, reemplazar con asteriscos) los secretos que contienen un carácter "$" en algunas circunstancias. • http://www.openwall.com/lists/oss-security/2020/05/06/3 https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835 https://access.redhat.com/security/cve/CVE-2020-2182 https://bugzilla.redhat.com/show_bug.cgi?id=1847348 • CWE-222: Truncation of Security-relevant Information CWE-522: Insufficiently Protected Credentials •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. Jenkins Credentials Binding Plugin versiones 1.22 y anteriores, no enmascara (es decir, reemplazar con asteriscos) los secretos en el registro de compilación cuando la compilación contiene pasos sin compilar. • http://www.openwall.com/lists/oss-security/2020/05/06/3 https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374 https://access.redhat.com/security/cve/CVE-2020-2181 https://bugzilla.redhat.com/show_bug.cgi?id=1847341 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job. El plugin Credentials Binding versión 1.17 de Jenkins, está afectado por: CWE-257: Almacenamiento de Contraseñas en un Formato Recuperable. • http://www.securityfocus.com/bid/109320 https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing • CWE-257: Storing Passwords in a Recoverable Format CWE-522: Insufficiently Protected Credentials •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password. Jenkins Credentials Binding Plugin, en versiones 1.14 y anteriores, oculta las contraseñas que proporciona para construir procesos en sus archivos de registro de builds. Sin embargo, Jenkins transforma los valores de contraseña proporcionados, por ejemplo, reemplazando las referencias de variables de entorno, lo que podría resultar en que los valores sean diferentes pero similares a contraseñas configuradas que se entregan a la build. • https://jenkins.io/security/advisory/2018-02-05 • CWE-522: Insufficiently Protected Credentials •