CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24456
https://notcve.org/view.php?id=CVE-2023-24456
Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. El complemento Keycloak Authentication de Jenkins en su versión 2.3.0 y anteriores no invalida la sesión anterior al iniciar sesión. • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2987 • CWE-384: Session Fixation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24424
https://notcve.org/view.php?id=CVE-2023-24424
Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. El complemento OpenId Connect Authentication 2.4 de Jenkins y versiones anteriores no invalida la sesión anterior al iniciar sesión. • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2978 • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24445
https://notcve.org/view.php?id=CVE-2023-24445
Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. El complemento OpenID de Jenkins en su versión 2.4 y anteriores determinan incorrectamente que una URL de redireccionamiento después de iniciar sesión apunta legítimamente a Jenkins. • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2997 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-24450
https://notcve.org/view.php?id=CVE-2023-24450
Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. El complemento view-cloner de Jenkins en su versión 1.1 y anteriores almacena contraseñas sin cifrar en archivos job config.xml en el controlador Jenkins, donde los usuarios con permiso de lectura extendida pueden verlas o acceder al sistema de archivos del controlador Jenkins. • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24422 – jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin
https://notcve.org/view.php?id=CVE-2023-24422
A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Una vulnerabilidad de omisión de la sandbox que involucra constructores de mapas en Jenkins Script Security Plugin 1228.vd93135a_2fb_25 y versiones anteriores permite a atacantes con permiso para definir y ejecutar scripts de sandbox, incluidos Pipelines, eludir la protección de sandbox y ejecutar código arbitrario en el contexto de la JVM del controlador Jenkins. A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. • https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016 https://access.redhat.com/security/cve/CVE-2023-24422 https://bugzilla.redhat.com/show_bug.cgi?id=2164278 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •