CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27900 – Jenkins: Denial of Service attack
https://notcve.org/view.php?id=CVE-2023-27900
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.Multip... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27899 – Jenkins: Temporary plugin file created with insecure permissions
https://notcve.org/view.php?id=CVE-2023-27899
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If the... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823 • CWE-378: Creation of Temporary File With Insecure Permissions CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27898 – Jenkins: XSS vulnerability in plugin manager
https://notcve.org/view.php?id=CVE-2023-27898
08 Mar 2023 — Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances. A flaw was found in Jenkins. Affected versions of Jenkins do not escape th... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43416
https://notcve.org/view.php?id=CVE-2022-43416
19 Oct 2022 — Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary ... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43422
https://notcve.org/view.php?id=CVE-2022-43422
19 Oct 2022 — Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Topaz Utilities Plugin versiones 1.0.8 y anteriores, implementan un mensaje de agent/controller que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente obtener l... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-693: Protection Mechanism Failure •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43423
https://notcve.org/view.php?id=CVE-2022-43423
19 Oct 2022 — Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin versiones 2.0.12 y anteriores, implementa un mensaje agent/controller que no limita dónde puede ser ejecutado, permitiendo a at... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43424
https://notcve.org/view.php?id=CVE-2022-43424
19 Oct 2022 — Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. El plugin de cobertura de código de Jenkins Compuware Xpediter versiones 1.0.7 y anteriores, implementa un mensaje de agente/controlador que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-693: Protection Mechanism Failure •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43428
https://notcve.org/view.php?id=CVE-2022-43428
19 Oct 2022 — Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Topaz for Total Test Plugin versiones 2.4.8 y anteriores, implementan un mensaje agent/controller que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente ob... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43429
https://notcve.org/view.php?id=CVE-2022-43429
19 Oct 2022 — Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. Jenkins Compuware Topaz for Total Test Plugin versiones 2.4.8 y anteriores, implementan un mensaje agent/controller que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente leer archivos arbitrari... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-41224
https://notcve.org/view.php?id=CVE-2022-41224
21 Sep 2022 — Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component. Jenkins versiones 2.367 hasta 2.369 (ambas inclusive) no escapa a la información sobre herramientas del componente l:helpIcon UI usado para algunos iconos de ayuda en la interfaz web de Jenkins, lo que da lugar a una vulnerabilida... • https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2886 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •