CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23903
https://notcve.org/view.php?id=CVE-2024-23903
24 Jan 2024 — Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. El complemento Jenkins GitLab Branch Source 684.vea_fa_7c1e2fe3 y versiones anteriores utiliza una función de comparación de tiempo no constante al verificar si el token de webhook proporcionado y el esperado son iguales, lo que potenc... • http://www.openwall.com/lists/oss-security/2024/01/24/6 • CWE-697: Incorrect Comparison •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23902
https://notcve.org/view.php?id=CVE-2024-23902
24 Jan 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL. Una vulnerabilidad de cross-site request forgery (CSRF) en el complemento Jenkins GitLab Branch Source 684.vea_fa_7c1e2fe3 y versiones anteriores permite a los atacantes conectarse a una URL especificada por el atacante. • http://www.openwall.com/lists/oss-security/2024/01/24/6 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23901
https://notcve.org/view.php?id=CVE-2024-23901
24 Jan 2024 — Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group. El complemento Jenkins GitLab Branch Source 684.vea_fa_7c1e2fe3 y anteriores descubre incondicionalmente proyectos que se comparten con el grupo propietario configurado, lo que permite a los atacantes configurar y com... • http://www.openwall.com/lists/oss-security/2024/01/24/6 •
CVSS: 5.5EPSS: 3%CPEs: 1EXPL: 0CVE-2023-46650
https://notcve.org/view.php?id=CVE-2023-46650
25 Oct 2023 — Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. El complemento Jenkins GitHub 1.37.3 y versiones anteriores no escapa a la URL del proyecto GitHub en la página de compilación cuando muestra cambios, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) que pueden explotar los atacantes con permiso de elemento/... • http://www.openwall.com/lists/oss-security/2023/10/25/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24434
https://notcve.org/view.php?id=CVE-2023-24434
24 Jan 2023 — A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento GitHub Pull Request Builder de Jenkins en su versión 1.42.2 y anteriores permite a los atacantes conectarse a una URL especificada por el atacante util... • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24435
https://notcve.org/view.php?id=CVE-2023-24435
24 Jan 2023 — A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una verificación de permiso faltante en el complemento GitHub Pull Request Builder de Jenkins en su versión 1.42.2 y anteriores permite a los atacantes con permiso general/lectura conectarse a una URL especificada por e... • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24436
https://notcve.org/view.php?id=CVE-2023-24436
24 Jan 2023 — A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una verificación de permiso faltante en el complemento GitHub Pull Request Builder de Jenkins en su versión 1.42.2 y anteriores permite a atacantes con permiso general/lectura enumerar los ID de las credenciales almacenadas en Jenkins. • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%281%29 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24442
https://notcve.org/view.php?id=CVE-2023-24442
24 Jan 2023 — Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. El complemento GitHub Pull Request Coverage Status de Jenkins en su versión 2.2.0 y anteriores almacena el token de acceso personal de GitHub, el token de acceso de Sonar y la contraseña de Sonar sin cifrar e... • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36885 – plugin: Non-constant time webhook signature comparison in GitHub Plugin
https://notcve.org/view.php?id=CVE-2022-36885
27 Jul 2022 — Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. Jenkins GitHub Plugin versiones v1.34.4 y anteriores, usa una función de comparación de tiempo no constante cuando comprueba si las firmas de webhooks proporcionadas y calculadas son iguales, permitiendo a atacantes usar métodos estadísticos para obtener una firma ... • http://www.openwall.com/lists/oss-security/2022/07/27/1 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2212
https://notcve.org/view.php?id=CVE-2020-2212
02 Jul 2020 — Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. Jenkins GitHub Coverage Reporter Plugin versiones 1.8 y anteriores, almacenan secretos sin cifrar en su archivo de configuración global en el maestro de Jenkins, donde pueden ser visualizados por usuarios con acceso al sistema de archivos maestro o perm... • http://www.openwall.com/lists/oss-security/2020/07/02/7 • CWE-522: Insufficiently Protected Credentials •