CVE-2020-2162
https://notcve.org/view.php?id=CVE-2020-2162
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, no establecen encabezados Content-Security-Policy para los archivos cargados como parámetros de archivo en una compilación, resultando en una vulnerabilidad de tipo XSS almacenado. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2160
https://notcve.org/view.php?id=CVE-2020-2160
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, usan diferentes representaciones de rutas URL de petición, lo cual permite a atacantes diseñar una URL que permite la omisión de la protección de CSRF de cualquier URL objetivo. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-2161
https://notcve.org/view.php?id=CVE-2020-2161
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y versiones anteriores, no se escapan apropiadamente las etiquetas de nodo que son mostradas en la comprobación del formulario para las expresiones de etiqueta en las páginas de configuración del trabajo, resultando en una vulnerabilidad de tipo XSS almacenado explotable por usuarios capaces de definir etiquetas de nodo. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-0785
https://notcve.org/view.php?id=CVE-2012-0785
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack." Una vulnerabilidad de ataque de colisión de hash en Jenkins versiones anteriores a 1.447, Jenkins LTS versiones anteriores a 1.424.2 y Jenkins Enterprise de CloudBees versiones 1.424.x anteriores a 1.424.2.1 y versiones 1.400.x anteriores a 1.400.0.11, podría permitir a atacantes remotos causar una carga de la CPU considerable, también se conoce como "the Hash DoS attack". • http://www.openwall.com/lists/oss-security/2012/01/20/8 https://access.redhat.com/security/cve/cve-2012-0785 https://jenkins.io/security/advisory/2012-01-12 https://security-tracker.debian.org/tracker/CVE-2012-0785 https://www.cloudbees.com/jenkins-security-advisory-2012-01-12 • CWE-400: Uncontrolled Resource Consumption •
CVE-2020-2105
https://notcve.org/view.php?id=CVE-2020-2105
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. Los endpoint de la API REST en Jenkins versiones 2.218 y anteriores, versiones LTS 2.204.1 y anteriores, eran vulnerables a los ataques de secuestro de cliqueo. • http://www.openwall.com/lists/oss-security/2020/01/29/1 https://access.redhat.com/errata/RHBA-2020:0402 https://access.redhat.com/errata/RHBA-2020:0675 https://access.redhat.com/errata/RHSA-2020:0681 https://access.redhat.com/errata/RHSA-2020:0683 https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1704 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •