CVE-2022-38663
https://notcve.org/view.php?id=CVE-2022-38663
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. Jenkins Git Plugin versiones 4.11.4 y anteriores, no enmascara apropiadamente (es decir, reemplaza con asteriscos) las credenciales en el registro de construcción proporcionado por el enlace de credenciales Git Username and Password ("gitUsernamePassword"). • http://www.openwall.com/lists/oss-security/2022/08/23/2 https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796 • CWE-522: Insufficiently Protected Credentials •
CVE-2022-36884 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36884
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. El endpoint de webhook en Jenkins Git Plugin versiones4.11.3 y anteriores, proporciona a atacantes no autenticados información sobre la existencia de trabajos configurados para usar un repositorio Git especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36884 https://bugzilla.redhat.com/show_bug.cgi?id=2119657 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVE-2022-36883 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36883
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una falta de comprobación de permisos en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes no autenticados desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causarles una comprobación de un commit especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36883 https://bugzilla.redhat.com/show_bug.cgi?id=2119656 • CWE-862: Missing Authorization •
CVE-2022-36882 – jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git
https://notcve.org/view.php?id=CVE-2022-36882
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causar que comprueben un commit especificado por el atacante A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36882 https://bugzilla.redhat.com/show_bug.cgi?id=2116840 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-30947
https://notcve.org/view.php?id=CVE-2022-30947
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. El Plugin Git de Jenkins versiones 4.11.1 y anteriores, permiten a atacantes configurar los pipelines para comprobar algunos repositorios SCM almacenados en el sistema de archivos del controlador de Jenkins usando rutas locales como URLs SCM, obteniendo información limitada sobre los contenidos SCM de otros proyectos • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478 •