CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23899 – jenkins-2-plugins: git-server plugin arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2024-23899
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system. El complemento del servidor Jenkins Git 99.va_0826a_b_cdfa_d y versiones anteriores no desactiva una función de su analizador de comandos que reemplaza un carácter '@' seguido de una ruta de archivo en un argumento con el contenido del archivo, permitiendo a atacantes con permiso general/lectura leer contenido de archivos arbitrarios en el sistema de archivos del controlador Jenkins. A flaw was found in the Git Server Plugin for Jenkins. This issue could allow an attacker to read the first two lines of arbitrary files on the server's file system. • http://www.openwall.com/lists/oss-security/2024/01/24/6 https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319 https://access.redhat.com/security/cve/CVE-2024-23899 https://bugzilla.redhat.com/show_bug.cgi?id=2260183 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43421
https://notcve.org/view.php?id=CVE-2022-43421
A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value. Una falta de comprobación de permisos en el plugin de origen de la rama Git de Jenkins versiones 3.2.4 y anteriores, permite a atacantes no autentificados desencadenar proyectos de Tuleap cuyo repositorio configurado coincide con el valor especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/10/19/3 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2852 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38663
https://notcve.org/view.php?id=CVE-2022-38663
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. Jenkins Git Plugin versiones 4.11.4 y anteriores, no enmascara apropiadamente (es decir, reemplaza con asteriscos) las credenciales en el registro de construcción proporcionado por el enlace de credenciales Git Username and Password ("gitUsernamePassword"). • http://www.openwall.com/lists/oss-security/2022/08/23/2 https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36884 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36884
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. El endpoint de webhook en Jenkins Git Plugin versiones4.11.3 y anteriores, proporciona a atacantes no autenticados información sobre la existencia de trabajos configurados para usar un repositorio Git especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36884 https://bugzilla.redhat.com/show_bug.cgi?id=2119657 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-36883 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36883
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una falta de comprobación de permisos en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes no autenticados desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causarles una comprobación de un commit especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36883 https://bugzilla.redhat.com/show_bug.cgi?id=2119656 • CWE-862: Missing Authorization •