CVE-2019-16556
https://notcve.org/view.php?id=CVE-2019-16556
Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. Jenkins Rundeck Plugin 3.6.5 y anteriores almacena credenciales sin cifrar en su archivo de configuración global y en archivos config.xml de trabajo en el maestro de Jenkins, donde pueden ser vistos por los usuarios con permiso de lectura extendida o acceso al sistema de archivos maestro. • http://www.openwall.com/lists/oss-security/2019/12/17/1 https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636 • CWE-522: Insufficiently Protected Credentials •
CVE-2019-10454
https://notcve.org/view.php?id=CVE-2019-10454
A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. Una vulnerabilidad de tipo cross-site request forgery en Jenkins Rundeck Plugin, permite a atacantes conectar con una URL especificada por el atacante usando credenciales especificadas por el atacante. • https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1460 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-10455
https://notcve.org/view.php?id=CVE-2019-10455
A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Una falta de comprobación de permiso en Jenkins Rundeck Plugin, permite a atacantes con permiso General y de Lectura conectar con una URL especificada por el atacante usando credenciales especificadas por el atacante. • https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1460 • CWE-862: Missing Authorization •
CVE-2019-6804 – Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-6804
An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascripts/workflowStepEditorKO.js and views/execution/_wfitemEdit.gsp. Se ha descubierto un problema de Cross-Site Scripting (XSS) en la página "Job Edit" en Rundeck Community Edition, en versiones anteriores a la 3.0.13, relacionado con assets/javascripts/workflowStepEditorKO.js y views/execution/_wfitemEdit.gsp. Rundeck Community Edition versions prior to 3.0.13 suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46251 https://docs.rundeck.com/docs/history/version-3.0.13.html https://github.com/rundeck/rundeck/issues/4406 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •