CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32983
https://notcve.org/view.php?id=CVE-2023-32983
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32982
https://notcve.org/view.php?id=CVE-2023-32982
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32981 – jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin
https://notcve.org/view.php?id=CVE-2023-32981
An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content. A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing "dot dot" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196 https://access.redhat.com/security/cve/CVE-2023-32981 https://bugzilla.redhat.com/show_bug.cgi?id=2207835 • CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32980 – jenkins-2-plugin: email-ext: CSRF vulnerability in Email Extension Plugin
https://notcve.org/view.php?id=CVE-2023-32980
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job. A flaw was found in the Jenkins Email Extension Plugin. Affected versions of the Jenkins Email Extension Plugin are vulnerable to cross-site request forgery caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to make another user stop watching an attacker-specified job. An attacker can perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3088%20(2) https://access.redhat.com/security/cve/CVE-2023-32980 https://bugzilla.redhat.com/show_bug.cgi?id=2207833 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32979 – jenkins-2-plugin: email-ext: Missing permission check in Email Extension Plugin
https://notcve.org/view.php?id=CVE-2023-32979
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system. A flaw was found in the Jenkins Email Extension Plugin. Affected versions of the Jenkins Email Extension Plugin could allow a remote, authenticated attacker to obtain sensitive information caused by improper permission validation. By sending a specially crafted request, an attacker can check for the existence of files in the email-templates/ directory and use this information to launch further attacks against the affected system. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3088%20(1) https://access.redhat.com/security/cve/CVE-2023-32979 https://bugzilla.redhat.com/show_bug.cgi?id=2207831 • CWE-266: Incorrect Privilege Assignment CWE-732: Incorrect Permission Assignment for Critical Resource •