Page 2 of 229 results (0.089 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. Jenkins 2.423 y anteriores, LTS 2.414.1 y anteriores crean un archivo temporal en el directorio temporal del sistema con los permisos predeterminados para archivos recién creados al instalar un complemento desde una URL, lo que potencialmente permite a los atacantes con acceso al directorio temporal del sistema reemplazar el archivo antes de instalarlo en Jenkins, lo que podría provocar la ejecución de código arbitrario. • http://www.openwall.com/lists/oss-security/2023/09/20/5 https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072 • CWE-276: Incorrect Default Permissions •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. Jenkins 2.423 y anteriores, LTS 2.414.1 y anteriores no escapan al valor del parámetro constructor 'caption' de 'ExpandableDetailsNote', lo que genera una vulnerabilidad de Store Cross-Site Scripting (XSS) que pueden explotar los atacantes capaces de controlar este parámetro. • http://www.openwall.com/lists/oss-security/2023/09/20/5 https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3245 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. • http://www.openwall.com/lists/oss-security/2023/07/26/2 https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu. • http://www.openwall.com/lists/oss-security/2023/06/14/5 https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3135 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers. • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120 https://access.redhat.com/security/cve/CVE-2023-27904 https://bugzilla.redhat.com/show_bug.cgi?id=2177634 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •