24 results (0.023 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access. Jenkins Mercurial Plugin versiones 1251.va_b_121f184902 y anteriores, proporciona información sobre los trabajos que se activaron o programaron para el sondeo mediante su endpoint de webhook, incluidos los trabajos a los que el usuario no presenta permiso para acceder An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality. • http://www.openwall.com/lists/oss-security/2022/10/19/3 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831 https://access.redhat.com/security/cve/CVE-2022-43410 https://bugzilla.redhat.com/show_bug.cgi?id=2136369 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. El plugin Jenkins Mercurial versiones 2.16 y anteriores, permiten a atacantes configurar los pipelines para comprobar algunos repositorios SCM almacenados en el sistema de archivos del controlador Jenkins usando rutas locales como URLs SCM, obteniendo información limitada sobre los contenidos SCM de otros proyectos A flaw was found in the Jenkins plugin. Affected versions of the Jenkins Mercurial Plugin allow attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system. This is accomplished by using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478 https://access.redhat.com/security/cve/CVE-2022-30948 https://bugzilla.redhat.com/show_bug.cgi?id=2119644 • CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Una falta de comprobación de permisos en Jenkins Mercurial Plugin versiones 2.11 y anteriores, permite a atacantes con permiso Overall/Read obtener una lista de nombres de instalaciones Mercurial configuradas • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2104 https://access.redhat.com/security/cve/CVE-2020-2306 https://bugzilla.redhat.com/show_bug.cgi?id=1895941 • CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Jenkins Mercurial Plugin versiones 2.11 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE) A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality. • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115 https://access.redhat.com/security/cve/CVE-2020-2305 https://bugzilla.redhat.com/show_bug.cgi?id=1895940 • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack. Mercurial versiones anteriores a 1.6.4, no puede comprobar el campo Common Name de los certificados SSL lo que permite a atacantes remotos que adquieren un certificado firmado por una Autoridad Certificada llevar a cabo un ataque de tipo man-in-the-middle. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598841 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4237 https://bz.mercurial-scm.org/show_bug.cgi?id=2407 https://security-tracker.debian.org/tracker/CVE-2010-4237 • CWE-295: Improper Certificate Validation •