CVE-2024-28155
https://notcve.org/view.php?id=CVE-2024-28155
Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. El complemento Jenkins AppSpider 1.0.16 y versiones anteriores no realiza comprobaciones de permisos en varios endpoints HTTP, lo que permite a los atacantes con permiso general/lectura obtener información sobre los nombres de configuraciones de escaneo disponibles, nombres de grupos de motores y nombres de clientes. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3144 •
CVE-2024-28154
https://notcve.org/view.php?id=CVE-2024-28154
Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default. Jenkins MQ Notifier Plugin 1.4.0 y versiones anteriores registran parámetros de compilación potencialmente confidenciales como parte de la información de depuración en los registros de compilación de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3180 •
CVE-2024-28153
https://notcve.org/view.php?id=CVE-2024-28153
Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability. El complemento Jenkins OWASP Dependency-Check 5.4.5 y versiones anteriores no escapa a los metadatos de vulnerabilidad de los informes Dependency-Check, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3344 •
CVE-2024-28151
https://notcve.org/view.php?id=CVE-2024-28151
Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores archiva enlaces simbólicos no válidos en directorios de informes de agentes y los recrea en el controlador, lo que permite a los atacantes con permiso Item/Configure determinar si existe una ruta en el sistema de archivos del controlador Jenkins, sin poder acceder a ella. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3303 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-28150
https://notcve.org/view.php?id=CVE-2024-28150
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores no escapan a los nombres de trabajos, nombres de informes y títulos de páginas de índice que se muestran como parte del frame del informe, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes con permiso Item/Configure. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •