CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43410 – jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin
https://notcve.org/view.php?id=CVE-2022-43410
Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access. Jenkins Mercurial Plugin versiones 1251.va_b_121f184902 y anteriores, proporciona información sobre los trabajos que se activaron o programaron para el sondeo mediante su endpoint de webhook, incluidos los trabajos a los que el usuario no presenta permiso para acceder An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality. • http://www.openwall.com/lists/oss-security/2022/10/19/3 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831 https://access.redhat.com/security/cve/CVE-2022-43410 https://bugzilla.redhat.com/show_bug.cgi?id=2136369 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30948 – plugin: Mercurial SCM plugin can check out from the controller file system
https://notcve.org/view.php?id=CVE-2022-30948
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. El plugin Jenkins Mercurial versiones 2.16 y anteriores, permiten a atacantes configurar los pipelines para comprobar algunos repositorios SCM almacenados en el sistema de archivos del controlador Jenkins usando rutas locales como URLs SCM, obteniendo información limitada sobre los contenidos SCM de otros proyectos A flaw was found in the Jenkins plugin. Affected versions of the Jenkins Mercurial Plugin allow attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system. This is accomplished by using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478 https://access.redhat.com/security/cve/CVE-2022-30948 https://bugzilla.redhat.com/show_bug.cgi?id=2119644 • CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2305 – jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks
https://notcve.org/view.php?id=CVE-2020-2305
Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Jenkins Mercurial Plugin versiones 2.11 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE) A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality. • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115 https://access.redhat.com/security/cve/CVE-2020-2305 https://bugzilla.redhat.com/show_bug.cgi?id=1895940 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2306 – jenkins-2-plugins/mercurial: Missing permission check in an HTTP endpoint could result in information disclosure
https://notcve.org/view.php?id=CVE-2020-2306
A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Una falta de comprobación de permisos en Jenkins Mercurial Plugin versiones 2.11 y anteriores, permite a atacantes con permiso Overall/Read obtener una lista de nombres de instalaciones Mercurial configuradas • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2104 https://access.redhat.com/security/cve/CVE-2020-2306 https://bugzilla.redhat.com/show_bug.cgi?id=1895941 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000112
https://notcve.org/view.php?id=CVE-2018-1000112
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users. Existe una vulnerabilidad de autorización incorrecta en el plugin Mercurial para Jenkins, en versiones 2.2 y anteriores, en MercurialStatus.java que permite que un atacante con acceso de red obtenga una lista de nodos y usuarios. • https://jenkins.io/security/advisory/2018-02-26/#SECURITY-726 • CWE-863: Incorrect Authorization •