CVE-2023-41934
https://notcve.org/view.php?id=CVE-2023-41934
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked. El complemento Jenkins Pipeline Maven Integration 1330.v18e473854496 y versiones anteriores no enmascaran correctamente (es decir, reemplazan con asteriscos) los nombres de usuario de las credenciales especificadas en la configuración personalizada de Maven en los registros de build del Pipeline si está marcada la opción "Tratar nombre de usuario como secreto". • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3257 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-41933
https://notcve.org/view.php?id=CVE-2023-41933
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no configuran su analizador XML para evitar ataques de entidad externa XML (XXE). • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-41932
https://notcve.org/view.php?id=CVE-2023-41932
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no restringen los parámetros de consulta de 'timestamp' en múltiples endpoints, lo que permite a los atacantes eliminar directorios especificados por el atacante en el sistema de archivos del controlador Jenkins siempre que contengan un archivo llamado 'history.xml'. • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-41931
https://notcve.org/view.php?id=CVE-2023-41931
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no sanitizan ni escapan el valor timestamp de las entradas de historial al representar una entrada de historial en la vista de historial, lo que da como resultado una vulnerabilidad de Cross-Site Scripting (XSS) almacenada. • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-41930
https://notcve.org/view.php?id=CVE-2023-41930
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no restringe el parámetro de consulta 'name' al renderizar una entrada de historial, lo que permite a los atacantes hacer que Jenkins renderice un historial de configuración manipulado que no fue creado por el complemento. • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •