CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23118
https://notcve.org/view.php?id=CVE-2022-23118
Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller. El plugin Jenkins Debian Package Builder versiones 1.6.11 y anteriores, implementan una funcionalidad que permite a agentes invocar la línea de comandos "git" en una ruta especificada por el atacante en el controlador, permitiendo a atacantes capaces de controlar los procesos del agente invocar comandos arbitrarios del Sistema Operativo en el controlador • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2546 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23117
https://notcve.org/view.php?id=CVE-2022-23117
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller. Jenkins Conjur Secrets Plugin versiones 1.0.9 y anteriores, implementan una funcionalidad que permite a atacantes capaces de controlar los procesos del agente recuperar todas las credenciales de nombre de usuario/contraseña almacenadas en el controlador Jenkins • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%282%29 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23116
https://notcve.org/view.php?id=CVE-2022-23116
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. Jenkins Conjur Secrets Plugin versiones 1.0.9 y anteriores, implementan una funcionalidad que permite a atacantes capaces de controlar los procesos del agente descifrar los secretos almacenados en Jenkins obtenidos mediante otro método • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23115
https://notcve.org/view.php?id=CVE-2022-23115
Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task. Unas vulnerabilidades de tipo Cross-site request forgery (CSRF) en Jenkins batch task Plugin versiones 1.19 y anteriores, permite a atacantes con acceso Overall/Read recuperar registros, construir o eliminar una tarea por lotes • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1025 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23114
https://notcve.org/view.php?id=CVE-2022-23114
Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. El plugin Jenkins Publish Over SSH versiones 1.22 y anteriores, almacena la contraseña sin cifrar en su archivo de configuración global en el controlador Jenkins, donde puede ser visualizada por usuarios con acceso al sistema de archivos del controlador Jenkins • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2291 • CWE-522: Insufficiently Protected Credentials •