CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27904 – Jenkins: Information disclosure through error stack traces related to agents
https://notcve.org/view.php?id=CVE-2023-27904
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers. Multicl... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27903 – Jenkins: Temporary file parameter created with insecure permissions
https://notcve.org/view.php?id=CVE-2023-27903
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used. A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CL... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058 • CWE-266: Incorrect Privilege Assignment CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27902 – Jenkins: Workspace temporary directories accessible through directory browser
https://notcve.org/view.php?id=CVE-2023-27902
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents. A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically all... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807 • CWE-266: Incorrect Privilege Assignment •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27901 – Jenkins: Denial of Service attack
https://notcve.org/view.php?id=CVE-2023-27901
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.Re... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27900 – Jenkins: Denial of Service attack
https://notcve.org/view.php?id=CVE-2023-27900
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.Multip... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27899 – Jenkins: Temporary plugin file created with insecure permissions
https://notcve.org/view.php?id=CVE-2023-27899
08 Mar 2023 — Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If the... • https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823 • CWE-378: Creation of Temporary File With Insecure Permissions CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43422
https://notcve.org/view.php?id=CVE-2022-43422
19 Oct 2022 — Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Topaz Utilities Plugin versiones 1.0.8 y anteriores, implementan un mensaje de agent/controller que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente obtener l... • http://www.openwall.com/lists/oss-security/2022/10/19/3 •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43423
https://notcve.org/view.php?id=CVE-2022-43423
19 Oct 2022 — Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin versiones 2.0.12 y anteriores, implementa un mensaje agent/controller que no limita dónde puede ser ejecutado, permitiendo a at... • http://www.openwall.com/lists/oss-security/2022/10/19/3 •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43424
https://notcve.org/view.php?id=CVE-2022-43424
19 Oct 2022 — Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. El plugin de cobertura de código de Jenkins Compuware Xpediter versiones 1.0.7 y anteriores, implementa un mensaje de agente/controlador que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los... • http://www.openwall.com/lists/oss-security/2022/10/19/3 •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43428
https://notcve.org/view.php?id=CVE-2022-43428
19 Oct 2022 — Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Topaz for Total Test Plugin versiones 2.4.8 y anteriores, implementan un mensaje agent/controller que no limita dónde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente ob... • http://www.openwall.com/lists/oss-security/2022/10/19/3 •