CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2136 – jenkins-git-plugin: stored cross-site scripting
https://notcve.org/view.php?id=CVE-2020-2136
09 Mar 2020 — Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability. Jenkins Git Plugin versiones 4.2.0 y anteriores, no escapa al mensaje de error de la URL del repositorio para la comprobación del formulario del campo TFS de Microsoft, resultando en una vulnerabilidad de tipo cross-site scripting almacenado. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes... • http://www.openwall.com/lists/oss-security/2020/03/09/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 1%CPEs: 10EXPL: 1CVE-2019-19604 – Ubuntu Security Notice USN-4220-1
https://notcve.org/view.php?id=CVE-2019-19604
10 Dec 2019 — Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. Una ejecución de comandos arbitrarios es posible en Git versiones anteriores a 2.20.2, versiones 2.21.x anteriores a 2.21.1, versiones 2.22.x anteriores a 2.22.2, versiones 2.23.x anteriores a 2.23.1 y versiones 2.24.x anteriores a 2.24.1, po... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-862: Missing Authorization •
CVSS: 3.6EPSS: 0%CPEs: 12EXPL: 0CVE-2019-1348 – git: Arbitrary path overwriting via export-marks in-stream command feature
https://notcve.org/view.php?id=CVE-2019-1348
10 Dec 2019 — An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. Se encontró un problema en Git anterior a la versión v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4 y v2. 14.6 La opción --export-marks de git fast-import también se expone a trav... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2019-1353 – Gentoo Linux Security Advisory 202003-30
https://notcve.org/view.php?id=CVE-2019-1353
10 Dec 2019 — An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. El controlador IEC870IP para Vijeo Citect y Citect SCADA de AVENA y Power SCADA Operation de Schneider Electric, presenta una vulnerabilidad de desbordamiento de búfer que podría resultar en un bl... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html •
CVSS: 8.8EPSS: 3%CPEs: 11EXPL: 0CVE-2019-1387 – git: Remote code execution in recursive clones with nested submodules
https://notcve.org/view.php?id=CVE-2019-1387
10 Dec 2019 — An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. Se encontró un problema en Git versiones anteriores a v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4 y v2. 14.6. Los clones recursivos están... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003010
https://notcve.org/view.php?id=CVE-2019-1003010
06 Feb 2019 — A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. Existe una vulnerabilidad Cross-Site Request Forgery (CSRF) en Jenkins Git Plugin, en versiones 3.9.1 y anteriores, en src/main/java/hudson/plugins/git/GitTagAction.java, que permite que los atacantes creen una etiqueta Git en un espacio de trabajo y adjunte... • https://access.redhat.com/errata/RHBA-2019:0326 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000182
https://notcve.org/view.php?id=CVE-2018-1000182
05 Jun 2018 — A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Existe una vulnerabilidad Server-Side Request Forgery en el plugin Git en versiones 3.9.0 y anteriores de Jenkins en AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryB... • https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 13%CPEs: 1EXPL: 0CVE-2018-1000110
https://notcve.org/view.php?id=CVE-2018-1000110
13 Mar 2018 — An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users. Existe una vulnerabilidad de autorización incorrecta en el plugin Git para Jenkins, en versiones 3.7.0 y anteriores, en GitStatus.java que permite que un atacante con acceso de red obtenga una lista de nodos y usuarios. • https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 124EXPL: 0CVE-2017-1000092
https://notcve.org/view.php?id=CVE-2017-1000092
04 Oct 2017 — Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. El plugin Git se conecta a un repositorio de Git especificado por el usuario como parte de la v... • http://www.securityfocus.com/bid/100435 • CWE-352: Cross-Site Request Forgery (CSRF) •