10 results (0.010 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una verificación de permiso faltante en un punto final HTTP en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes con permiso general/lectura conectarse a una URL de socket TCP o Unix especificada por el atacante y reconfigurar el complemento utilizando los parámetros de prueba de conexión proporcionados, lo que afecta las ejecuciones futuras de pasos de compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3200 • CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una vulnerabilidad de falsificación de solicitud entre sitios (CSRF) en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes conectarse a una URL de socket TCP o Unix especificada por el atacante y reconfigurar el complemento utilizando los parámetros de prueba de conexión proporcionados, afectando las futuras ejecuciones de pasos de construcción. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3200 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2811 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. Una comprobación de permisos faltante en Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 y anteriores permite a atacantes no autenticados activar compilaciones de trabajos correspondientes al repositorio especificado por el atacante. • http://www.openwall.com/lists/oss-security/2022/11/15/4 https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2843 • CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository. Jenkins Docker Commons Plugin versiones 1.17 y anteriores, no sanea el nombre de una imagen o una etiqueta, resultando en una vulnerabilidad de ejecución de comandos del Sistema Operativo explotable por atacantes con permiso Item/Configure o capaces de controlar el contenido del repositorio SCM de un trabajo previamente configurado An OS command execution vulnerability was found in the Jenkins Docker Commons plugin. Due to a lack of sanitization in the name of an image or a tag, an attacker with Item/Configure permission or the ability to control the contents of a previously configured job’s SCM repository may be able to execute OS commands. • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1878 https://access.redhat.com/security/cve/CVE-2022-20617 https://bugzilla.redhat.com/show_bug.cgi?id=2044502 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •