CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-20619
https://notcve.org/view.php?id=CVE-2022-20619
A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be y anteriores permite a atacantes conectarse a una URL especificada por el atacante usando IDs de credenciales especificados por el atacante obtenidos a través de otro método, capturando credenciales almacenadas en Jenkins • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-20618
https://notcve.org/view.php?id=CVE-2022-20618
A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Una falta de comprobación de permisos en el Plugin Jenkins Bitbucket Branch Source versiones 737.vdf9dc06105be y anteriores, permite a atacantes con acceso general/libre enumerar los ID de las credenciales almacenadas en Jenkins • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-20617 – jenkins-2-plugins/docker-commons: does not sanitize the name of an image or a tag which could result in an OS command execution
https://notcve.org/view.php?id=CVE-2022-20617
Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository. Jenkins Docker Commons Plugin versiones 1.17 y anteriores, no sanea el nombre de una imagen o una etiqueta, resultando en una vulnerabilidad de ejecución de comandos del Sistema Operativo explotable por atacantes con permiso Item/Configure o capaces de controlar el contenido del repositorio SCM de un trabajo previamente configurado An OS command execution vulnerability was found in the Jenkins Docker Commons plugin. Due to a lack of sanitization in the name of an image or a tag, an attacker with Item/Configure permission or the ability to control the contents of a previously configured job’s SCM repository may be able to execute OS commands. • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1878 https://access.redhat.com/security/cve/CVE-2022-20617 https://bugzilla.redhat.com/show_bug.cgi?id=2044502 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-20616
https://notcve.org/view.php?id=CVE-2022-20616
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file. El plugin Jenkins Credentials Binding versiones 1.27 y anteriores, no lleva a cabo una comprobación de permisos en un método que implementa la comprobación de formularios, que permite a atacantes con acceso Overall/Read comprobar si un ID de credencial es referido a una credencial de archivo secreto y si es un archivo zip • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-20615
https://notcve.org/view.php?id=CVE-2022-20615
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. El plugin Jenkins Matrix Project versiones 1.19 y anteriores, no escapa de los metacaracteres HTML en los nombres de nodos y etiquetas, y en las descripciones de las mismas, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenada explotable por atacantes con permiso de Agente/Configuración • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •