CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34148
https://notcve.org/view.php?id=CVE-2024-34148
02 May 2024 — Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'. El complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores deshabilita mediante programación la solución para CVE-2016-3721 cada vez que se activa una compilación desde una etiqueta de versión, estableciendo la propiedad ... • http://www.openwall.com/lists/oss-security/2024/05/02/3 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34147
https://notcve.org/view.php?id=CVE-2024-34147
02 May 2024 — Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. Jenkins Telegram Bot Plugin 1.4.0 y versiones anteriores almacenan el token de Telegram Bot sin cifrar en su archivo de configuración global en el controlador de Jenkins, donde los usuarios con acceso al sistema de archivos del controlador de Jenkins pueden verlo. • http://www.openwall.com/lists/oss-security/2024/05/02/3 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28162
https://notcve.org/view.php?id=CVE-2024-28162
06 Mar 2024 — In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation. En Jenkins Delphix Plugin 3.0.1 a 3.1.0 (ambos inclusive), una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de la Torre de control de... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28161
https://notcve.org/view.php?id=CVE-2024-28161
06 Mar 2024 — In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default. En Jenkins Delphix Plugin 3.0.1, una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de Data Control Tower (DCT) está deshabilitada de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28160
https://notcve.org/view.php?id=CVE-2024-28160
06 Mar 2024 — Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. El complemento Jenkins iceScrum 1.1.6 y versiones anteriores no sanitiza las URL del proyecto iceScrum en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28159
https://notcve.org/view.php?id=CVE-2024-28159
06 Mar 2024 — A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build. Una verificación de permiso faltante en el complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores permite a atacantes con permiso de elemento/lectura activar una compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28158
https://notcve.org/view.php?id=CVE-2024-28158
06 Mar 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build. Vulnerabilidad de cross-site request forgery (CSRF) en el complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores permite a los atacantes activar una compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28157
https://notcve.org/view.php?id=CVE-2024-28157
06 Mar 2024 — Jenkins GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. Jenkins GitBucket Plugin 0.8 y versiones anteriores no desinfectan las URL de Gitbucket en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28155
https://notcve.org/view.php?id=CVE-2024-28155
06 Mar 2024 — Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. El complemento Jenkins AppSpider 1.0.16 y versiones anteriores no realiza comprobaciones de permisos en varios endpoints HTTP, lo que permite a los atacantes con permiso general/lectura obtener información sobre los nombres de configuraciones de escaneo disponibl... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28154
https://notcve.org/view.php?id=CVE-2024-28154
06 Mar 2024 — Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default. Jenkins MQ Notifier Plugin 1.4.0 y versiones anteriores registran parámetros de compilación potencialmente confidenciales como parte de la información de depuración en los registros de compilación de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-532: Insertion of Sensitive Information into Log File •