CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28157
https://notcve.org/view.php?id=CVE-2024-28157
06 Mar 2024 — Jenkins GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. Jenkins GitBucket Plugin 0.8 y versiones anteriores no desinfectan las URL de Gitbucket en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28155
https://notcve.org/view.php?id=CVE-2024-28155
06 Mar 2024 — Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. El complemento Jenkins AppSpider 1.0.16 y versiones anteriores no realiza comprobaciones de permisos en varios endpoints HTTP, lo que permite a los atacantes con permiso general/lectura obtener información sobre los nombres de configuraciones de escaneo disponibl... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28154
https://notcve.org/view.php?id=CVE-2024-28154
06 Mar 2024 — Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default. Jenkins MQ Notifier Plugin 1.4.0 y versiones anteriores registran parámetros de compilación potencialmente confidenciales como parte de la información de depuración en los registros de compilación de forma predeterminada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-28153
https://notcve.org/view.php?id=CVE-2024-28153
06 Mar 2024 — Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability. El complemento Jenkins OWASP Dependency-Check 5.4.5 y versiones anteriores no escapa a los metadatos de vulnerabilidad de los informes Dependency-Check, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28151
https://notcve.org/view.php?id=CVE-2024-28151
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores archiva enlaces simbólicos no válidos en directorios de informes de agentes y los recrea en el controlador, lo que permite a los atacantes con permi... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28150
https://notcve.org/view.php?id=CVE-2024-28150
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores no escapan a los nombres de trabajos, nombres de informes y títulos de páginas de índice que se muestran como parte del frame del informe, lo que genera una vulnerabilidad de Cross-Site Scr... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28149 – jenkins-2-plugins: Improper input sanitization in HTML Publisher Plugin
https://notcve.org/view.php?id=CVE-2024-28149
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists. El complemento Jenkins HTML Publisher 1.16 a 1.32 (ambos inclusive) no sanitizada adecuadamente la entrada, lo que permite a los atacantes con permiso Elemento/Configurar implementar ataques de Cross-Site Scripting (XSS) y determinar si ... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2216
https://notcve.org/view.php?id=CVE-2024-2216
06 Mar 2024 — A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una verificación de permiso faltante en un punto final HTTP en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes con permiso general/lectura co... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2215
https://notcve.org/view.php?id=CVE-2024-2215
06 Mar 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una vulnerabilidad de falsificación de solicitud entre sitios (CSRF) en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes conectarse a una URL de socket TCP o Unix espec... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 61%CPEs: 2EXPL: 1CVE-2024-23898 – jenkins: cross-site WebSocket hijacking
https://notcve.org/view.php?id=CVE-2024-23898
24 Jan 2024 — Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller. Jenkins 2.217 a 2.441 (ambos incluida), LTS 2.222.1 a 2.426.2 (ambos incluida) no realizan la validación del origen de las solicitudes realizadas a través del endpoint CLI WebSocket, lo que gene... • https://github.com/davidmgaviria/CVE2_Jenkins_RCE • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-346: Origin Validation Error •