CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 0CVE-2024-43045
https://notcve.org/view.php?id=CVE-2024-43045
07 Aug 2024 — Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views". • https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3349 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 46%CPEs: 4EXPL: 5CVE-2024-43044 – jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE
https://notcve.org/view.php?id=CVE-2024-43044
07 Aug 2024 — Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. A vulnerability was found in the Remoting library in Jenkins core, which handles communication between the Jenkins controller and agents. The ClassLoaderProxy#fetchJar function may allow malicious agents or attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller's ... • https://github.com/v9d0g/CVE-2024-43044-POC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5273
https://notcve.org/view.php?id=CVE-2024-5273
24 May 2024 — Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path. El complemento Jenkins Report Info 1.2 y versiones anteriores no realiza la validación de la ruta del directorio del espacio de trabajo mientras sirve archivos de informes, lo que permit... • http://www.openwall.com/lists/oss-security/2024/05/24/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34148
https://notcve.org/view.php?id=CVE-2024-34148
02 May 2024 — Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'. El complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores deshabilita mediante programación la solución para CVE-2016-3721 cada vez que se activa una compilación desde una etiqueta de versión, estableciendo la propiedad ... • http://www.openwall.com/lists/oss-security/2024/05/02/3 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34147
https://notcve.org/view.php?id=CVE-2024-34147
02 May 2024 — Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. Jenkins Telegram Bot Plugin 1.4.0 y versiones anteriores almacenan el token de Telegram Bot sin cifrar en su archivo de configuración global en el controlador de Jenkins, donde los usuarios con acceso al sistema de archivos del controlador de Jenkins pueden verlo. • http://www.openwall.com/lists/oss-security/2024/05/02/3 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28162
https://notcve.org/view.php?id=CVE-2024-28162
06 Mar 2024 — In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation. En Jenkins Delphix Plugin 3.0.1 a 3.1.0 (ambos inclusive), una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de la Torre de control de... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28161
https://notcve.org/view.php?id=CVE-2024-28161
06 Mar 2024 — In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default. En Jenkins Delphix Plugin 3.0.1, una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de Data Control Tower (DCT) está deshabilitada de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28160
https://notcve.org/view.php?id=CVE-2024-28160
06 Mar 2024 — Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. El complemento Jenkins iceScrum 1.1.6 y versiones anteriores no sanitiza las URL del proyecto iceScrum en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28159
https://notcve.org/view.php?id=CVE-2024-28159
06 Mar 2024 — A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build. Una verificación de permiso faltante en el complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores permite a atacantes con permiso de elemento/lectura activar una compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28158
https://notcve.org/view.php?id=CVE-2024-28158
06 Mar 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build. Vulnerabilidad de cross-site request forgery (CSRF) en el complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores permite a los atacantes activar una compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-352: Cross-Site Request Forgery (CSRF) •