CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29052
https://notcve.org/view.php?id=CVE-2022-29052
Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Jenkins Google Compute Engine Plugin versiones 4.3.8 y anteriores, almacena las claves privadas sin cifrar en los archivos config.xml del agente de la nube en el controlador de Jenkins, donde pueden ser visualizados por usuarios con permiso de Lectura Extendida, o el acceso al sistema de archivos del controlador de Jenkins • https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29051
https://notcve.org/view.php?id=CVE-2022-29051
Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. Una falta de comprobaciones de permisos en Jenkins Publish Over FTP Plugin versiones 1.16 y anteriores, permite a atacantes con permiso de Lectura Extendida conectarse a un servidor FTP usando credenciales especificadas por el atacante • https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2321 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29050
https://notcve.org/view.php?id=CVE-2022-29050
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials. Una vulnerabilidad de cross-site request forgery (CSRF) en Jenkins Publish Over FTP Plugin versiones 1.16 y anteriores, permite a atacantes conectarse a un servidor FTP usando credenciales especificadas por el atacante • https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2321 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29048
https://notcve.org/view.php?id=CVE-2022-29048
A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Subversion Plugin versiones 2.15.3 y anteriores, permite a atacantes conectarse a una URL especificada por el atacante • http://seclists.org/fulldisclosure/2022/Jul/18 https://support.apple.com/kb/HT213345 https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2075 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29047 – Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
https://notcve.org/view.php?id=CVE-2022-29047
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them. Jenkins Pipeline: Shared Groovy Libraries Plugin versiones 564.ve62a_4eb_b_e039 y anteriores, excepto 2.21.3, permite a atacantes capaces de enviar pull requests (o equivalentes), pero no capaces de comprometerse directamente con el SCM configurado, cambiar efectivamente el comportamiento de Pipeline cambiando la definición de una biblioteca recuperada dinámicamente en su petición de pull, incluso si Pipeline está configurado para no confiar en ellos A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them. • https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951 https://access.redhat.com/security/cve/CVE-2022-29047 https://bugzilla.redhat.com/show_bug.cgi?id=2074855 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-863: Incorrect Authorization •