CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28137
https://notcve.org/view.php?id=CVE-2022-28137
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Una falta de comprobación de permisos en Jenkins JiraTestResultReporter Plugin versiones 165.v817928553942 y anteriores, permite a atacantes con permiso Overall/Read conectarse a una URL especificada por el atacante usando credenciales especificadas por el atacante • http://www.openwall.com/lists/oss-security/2022/03/29/1 https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2236 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28136
https://notcve.org/view.php?id=CVE-2022-28136
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins JiraTestResultReporter Plugin versiones 165.v817928553942 y anteriores, permite a atacantes conectarse a una URL especificada por el atacante usando credenciales especificadas por el mismo • http://www.openwall.com/lists/oss-security/2022/03/29/1 https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2236 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28135
https://notcve.org/view.php?id=CVE-2022-28135
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. Jenkins instant-messaging Plugin versiones 1.41 y anteriores, almacena las contraseñas de los chats de grupo sin cifrar en el archivo de configuración global de los plugins basados en el plugin de mensajería instantánea de Jenkins en el controlador de Jenkins, donde pueden ser visualizadas por usuarios con acceso al sistema de archivos del controlador de Jenkins • http://www.openwall.com/lists/oss-security/2022/03/29/1 https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2161 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28134
https://notcve.org/view.php?id=CVE-2022-28134
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. Jenkins Bitbucket Server Integration Plugin versiones 3.1.0 y anteriores, no lleva a cabo comprobaciones de permisos en varios endpoints HTTP, lo que permite a atacantes con permiso Overall/Read crear, visualizar y eliminar consumidores de BitBucket Server • http://www.openwall.com/lists/oss-security/2022/03/29/1 https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2640 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28133
https://notcve.org/view.php?id=CVE-2022-28133
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. Jenkins Bitbucket Server Integration Plugin versiones 3.1.0 y anteriores, no limita los esquemas de URL para las URL de devolución de llamada en los consumidores OAuth, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado, explotable por atacantes capaces de crear consumidores de BitBucket Server • http://www.openwall.com/lists/oss-security/2022/03/29/1 https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2639 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •