CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-49673
https://notcve.org/view.php?id=CVE-2023-49673
29 Nov 2023 — A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. Una vulnerabilidad de cross-site request forgery (CSRF) en Jenkins NeuVector Vulnerability Scanner Plugin 1.22 y versiones anteriores permite a los atacantes conectarse a un nombre de host y puerto especificados por el atacante utilizando un nombre de usuario y contraseña esp... • http://www.openwall.com/lists/oss-security/2023/11/29/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49652
https://notcve.org/view.php?id=CVE-2023-49652
29 Nov 2023 — Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1. Las comproba... • http://www.openwall.com/lists/oss-security/2023/11/29/1 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29052
https://notcve.org/view.php?id=CVE-2022-29052
12 Apr 2022 — Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Jenkins Google Compute Engine Plugin versiones 4.3.8 y anteriores, almacena las claves privadas sin cifrar en los archivos config.xml del agente de la nube en el controlador de Jenkins, donde pueden ser visualizados por usuarios con permiso de Lectura E... • https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045 • CWE-522: Insufficiently Protected Credentials •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16548
https://notcve.org/view.php?id=CVE-2019-16548
21 Nov 2019 — A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents. Una vulnerabilidad de tipo cross-site request forgery en Jenkins Google Compute Engine Plugin versión 4.1.1 y anteriores, en ComputeEngineCloud#doProvision podría ser usada para aprovisionar nuevos agentes. • http://www.openwall.com/lists/oss-security/2019/11/21/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16546
https://notcve.org/view.php?id=CVE-2019-16546
21 Nov 2019 — Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Jenkins Google Compute Engine Plugin versión 4.1.1 y anteriores, no comprueban las claves de host SSH cuando se conectan agentes creados por el plugin, permitiendo ataques de tipo man-in-the-middle. • http://www.openwall.com/lists/oss-security/2019/11/21/1 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16547
https://notcve.org/view.php?id=CVE-2019-16547
21 Nov 2019 — Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. La falta de comprobaciones de permisos en varios endpoints de la API en Jenkins Google Compute Engine Plugin versión 4.1.1 y anteriores, permiten a atacantes con permiso General y de Lectura obtener información limitada acerca de la configuración y el entorno del plugin. • http://www.openwall.com/lists/oss-security/2019/11/21/1 • CWE-862: Missing Authorization •