CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34176 – jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin
https://notcve.org/view.php?id=CVE-2022-34176
Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. Jenkins JUnit Plugin versiones 1119.va_a_5e9068da_d7 y anteriores, no escapa a las descripciones de los resultados de las pruebas, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado, explotable por atacantes con permiso Run/Update A flaw was found in the JUnit Jenkins plugin. The manipulation with an unknown input leads to a Cross-site scripting vulnerability, impacting the integrity. This flaw allows an attacker to inject arbitrary HTML and script code into the website. • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2760 https://access.redhat.com/security/cve/CVE-2022-34176 https://bugzilla.redhat.com/show_bug.cgi?id=2103548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34177 – jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin
https://notcve.org/view.php?id=CVE-2022-34177
Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. Jenkins Pipeline: Input Step Plugin versiones 448.v37cea_9a_10a_70 y anteriores, archiva los archivos cargados para los parámetros "file" para los pasos "input" de Pipeline en el controlador como parte de los metadatos de construcción, usando el nombre del parámetro sin sanearlo como una ruta relativa dentro de un directorio relacionado con la construcción, permitiendo a atacantes poder configurar Pipelines para crear o reemplazar archivos arbitrarios en el sistema de archivos del controlador Jenkins con contenido especificado por el atacante A flaw was found in the Pipeline Input Step Plugin. This issue affects the code of the component Archive File Handler. The manipulation of the argument file with a malicious input leads to a directory traversal vulnerability. • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705 https://access.redhat.com/security/cve/CVE-2022-34177 https://bugzilla.redhat.com/show_bug.cgi?id=2103551 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30972
https://notcve.org/view.php?id=CVE-2022-30972
A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Jenkins Storable Configs versiones 1.0 y anteriores, permite a atacantes hacer que Jenkins analice un archivo XML local (por ejemplo, artefactos archivados) que usa entidades externas para la extracción de secretos del controlador Jenkins o un ataque de tipo server-side request forgery • https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30971
https://notcve.org/view.php?id=CVE-2022-30971
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. El plugin Jenkins Storable Configs versiones 1.0 y anteriores, no configuran su parser XML para prevenir ataques de tipo XML external entity (XXE) • https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30970
https://notcve.org/view.php?id=CVE-2022-30970
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. El plugin Jenkins Autocomplete Parameter versiones 1.1 y anteriores, hace referencia a los nombres de los parámetros Dropdown Autocomplete y Autocomplete String de forma no segura desde Javascript incrustado en las definiciones de las visualizaciones, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenada explotable por atacantes con permiso Item/Configure • https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2267 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •