CVSS: 9.8EPSS: 43%CPEs: 3EXPL: 1CVE-2024-34144 – jenkins-plugin/script-security: sandbox bypass via crafted constructor bodies
https://notcve.org/view.php?id=CVE-2024-34144
02 May 2024 — A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Una vulnerabilidad de omisión de la sandbox que involucra cuerpos de constructores manipulados en Jenkins Script Security Plugin 1335.vf07d9ce377a_e y versiones anteriores permite a... • https://github.com/MXWXZ/CVE-2024-34144 • CWE-693: Protection Mechanism Failure •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28162
https://notcve.org/view.php?id=CVE-2024-28162
06 Mar 2024 — In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation. En Jenkins Delphix Plugin 3.0.1 a 3.1.0 (ambos inclusive), una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de la Torre de control de... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28161
https://notcve.org/view.php?id=CVE-2024-28161
06 Mar 2024 — In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default. En Jenkins Delphix Plugin 3.0.1, una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de Data Control Tower (DCT) está deshabilitada de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28160
https://notcve.org/view.php?id=CVE-2024-28160
06 Mar 2024 — Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. El complemento Jenkins iceScrum 1.1.6 y versiones anteriores no sanitiza las URL del proyecto iceScrum en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28159
https://notcve.org/view.php?id=CVE-2024-28159
06 Mar 2024 — A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build. Una verificación de permiso faltante en el complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores permite a atacantes con permiso de elemento/lectura activar una compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28158
https://notcve.org/view.php?id=CVE-2024-28158
06 Mar 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build. Vulnerabilidad de cross-site request forgery (CSRF) en el complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores permite a los atacantes activar una compilación. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28157
https://notcve.org/view.php?id=CVE-2024-28157
06 Mar 2024 — Jenkins GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. Jenkins GitBucket Plugin 0.8 y versiones anteriores no desinfectan las URL de Gitbucket en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 2%CPEs: 1EXPL: 0CVE-2024-28156
https://notcve.org/view.php?id=CVE-2024-28156
06 Mar 2024 — Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views. El complemento Jenkins Build Monitor View 1.14-860.vd06ef2568b_3f y versiones anteriores no escapa a los nombres de las vistas de Build Monitor, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configur... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28155
https://notcve.org/view.php?id=CVE-2024-28155
06 Mar 2024 — Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. El complemento Jenkins AppSpider 1.0.16 y versiones anteriores no realiza comprobaciones de permisos en varios endpoints HTTP, lo que permite a los atacantes con permiso general/lectura obtener información sobre los nombres de configuraciones de escaneo disponibl... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28154
https://notcve.org/view.php?id=CVE-2024-28154
06 Mar 2024 — Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default. Jenkins MQ Notifier Plugin 1.4.0 y versiones anteriores registran parámetros de compilación potencialmente confidenciales como parte de la información de depuración en los registros de compilación de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-532: Insertion of Sensitive Information into Log File •