CVSS: 5.5EPSS: 3%CPEs: 1EXPL: 0CVE-2023-46650
https://notcve.org/view.php?id=CVE-2023-46650
25 Oct 2023 — Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. El complemento Jenkins GitHub 1.37.3 y versiones anteriores no escapa a la URL del proyecto GitHub en la página de compilación cuando muestra cambios, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) que pueden explotar los atacantes con permiso de elemento/... • http://www.openwall.com/lists/oss-security/2023/10/25/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36885 – plugin: Non-constant time webhook signature comparison in GitHub Plugin
https://notcve.org/view.php?id=CVE-2022-36885
27 Jul 2022 — Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. Jenkins GitHub Plugin versiones v1.34.4 y anteriores, usa una función de comparación de tiempo no constante cuando comprueba si las firmas de webhooks proporcionadas y calculadas son iguales, permitiendo a atacantes usar métodos estadísticos para obtener una firma ... • http://www.openwall.com/lists/oss-security/2022/07/27/1 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2020-10519 – Unsafe configuration options in GitHub Pages leading to remote code execution on GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2020-10519
03 Mar 2021 — A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all ... • https://docs.github.com/en/enterprise-server%402.20/admin/release-notes#2.20.24 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10517 – Improper access control in GitHub Enterprise Server leading to the enumeration of private repository names
https://notcve.org/view.php?id=CVE-2020-10517
27 Aug 2020 — An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in versions 2.21.6, 2.20.15, and 2.19.21. This vulnerability was reported via the GitHub Bug Bount... • https://enterprise.github.com/releases/2.19.21/notes • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 3%CPEs: 3EXPL: 0CVE-2020-10518 – Unsafe configuration options in GitHub Pages leading to remote code execution on GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2020-10518
27 Aug 2020 — A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all ... • https://enterprise.github.com/releases/2.19.21/notes • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 94%CPEs: 1EXPL: 0CVE-2018-1000600
https://notcve.org/view.php?id=CVE-2018-1000600
26 Jun 2018 — A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Existe una vulnerabilidad de exposición de información sensible en el plugin de Jenkins GitHub en versiones 1.29.1 y anteriores en GitHubTokenCredentialsCreator.java que permite que los atacantes capturen cr... • https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000183
https://notcve.org/view.php?id=CVE-2018-1000183
05 Jun 2018 — A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una vulnerabilidad de exposición de información sensible en el plugin GitHub 1.29.0 y anteriores de Jenkins en GitHubServerConfig.java que permite que los atacantes con acceso Overall/... • https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000184
https://notcve.org/view.php?id=CVE-2018-1000184
05 Jun 2018 — A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Existe una vulnerabilidad Server-Side Request Forgery en el plugin GitHub en versiones 1.29.0 y anteriores de Jenkins en GitHubPluginConfig.java que permite que los atacantes con acceso Overall/Read provoquen que Jenkins envíe una petición GET a un URL específico. • https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2012-2055
https://notcve.org/view.php?id=CVE-2012-2055
04 Apr 2012 — GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability. GitHub Enterprise antes de v20120304 no restringe debidamente el uso de un hash para proporcionar los valores para un modelo de atributos, lo que permite a atacantes remotos establecer el valor public_key [user_id] a través d... • http://homakov.blogspot.com/2012/03/how-to.html • CWE-913: Improper Control of Dynamically-Managed Code Resources •