CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46655
https://notcve.org/view.php?id=CVE-2023-46655
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server. Jenkins CloudBees CD Plugin 1.1.32 y versiones anteriores siguen enlaces simbólicos a ubicaciones fuera del directorio desde el cual se publican los artefactos durante el paso posterior a la compilación 'CloudBees CD - Publish Artifact', lo que permite a los atacantes configurar trabajos para publicar archivos arbitrarios desde Jenkins del controlador sistema de archivos al servidor de CD CloudBees previamente configurado. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3238 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46654
https://notcve.org/view.php?id=CVE-2023-46654
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system. Jenkins CloudBees CD Plugin 1.1.32 y versiones anteriores siguen enlaces simbólicos a ubicaciones fuera del directorio esperado durante el proceso de limpieza del paso posterior a la compilación 'CloudBees CD - Publish Artifact', lo que permite a los atacantes configurar trabajos para eliminar archivos arbitrarios en Jenkins controlador del sistema de archivos. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3237 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46653
https://notcve.org/view.php?id=CVE-2023-46653
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure. El complemento Jenkins lambdatest-automation 1.20.10 y versiones anteriores registran el token de acceso a las credenciales LAMBDATEST en el nivel INFO, lo que podría provocar su exposición. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46652
https://notcve.org/view.php?id=CVE-2023-46652
A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Una verificación de permiso faltante en el complemento Jenkins lambdatest-automation 1.20.9 y versiones anteriores permite a atacantes con permiso general/lectura enumerar los ID de las credenciales LAMBDATEST almacenadas en Jenkins. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3222 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46651
https://notcve.org/view.php?id=CVE-2023-46651
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1. El complemento Jenkins Warnings 10.5.0 y versiones anteriores no establece el contexto apropiado para la búsqueda de credenciales, lo que permite a los atacantes con permiso Elemento/Configurar acceder y capturar credenciales a las que no tienen derecho. Esta solución se ha actualizado a 10.4.1. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3265 • CWE-522: Insufficiently Protected Credentials •