CVSS: 5.5EPSS: 3%CPEs: 1EXPL: 0CVE-2022-41224
https://notcve.org/view.php?id=CVE-2022-41224
21 Sep 2022 — Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component. Jenkins versiones 2.367 hasta 2.369 (ambas inclusive) no escapa a la información sobre herramientas del componente l:helpIcon UI usado para algunos iconos de ayuda en la interfaz web de Jenkins, lo que da lugar a una vulnerabilida... • https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2886 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36900
https://notcve.org/view.php?id=CVE-2022-36900
27 Jul 2022 — Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties. Jenkins Compuware zAdviser API Plugin versiones 1.0.3 y anteriores, no restringe la ejecución de un mensaje controlador/agente a los agentes, permitiendo a atacantes capaces de controlar los procesos de los agentes recuperar las propiedades del sistema Java • http://www.openwall.com/lists/oss-security/2022/07/27/1 •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36899
https://notcve.org/view.php?id=CVE-2022-36899
27 Jul 2022 — Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties. Jenkins Compuware ISPW Operations Plugin versiones 1.0.8 y anteriores, no restringe la ejecución de un mensaje de controlador/agente a los agentes, permitiendo a atacantes capaces de controlar los procesos de los agentes recuperar las propiedades del sistema Java • http://www.openwall.com/lists/oss-security/2022/07/27/1 •
CVSS: 7.5EPSS: 1%CPEs: 12EXPL: 0CVE-2022-2048 – http2-server: Invalid HTTP/2 requests cause DoS
https://notcve.org/view.php?id=CVE-2022-2048
07 Jul 2022 — In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. En la implementación del servidor Eclipse Jetty HTTP/2, cuando es encontrada una petición HTTP/2 no válida, el manejo de errores presenta un error que puede terminar por no limpiar apropi... • http://www.openwall.com/lists/oss-security/2022/09/09/2 • CWE-410: Insufficient Resource Pool CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-34175
https://notcve.org/view.php?id=CVE-2022-34175
22 Jun 2022 — Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. Jenkins versiones 2.335 hasta 2.355 (ambas incluyéndolas) permite a atacantes, en algunos casos, omitir un mecanismo de protección, accediendo así directamente a algunos fragmentos de visualizaciones que contienen información confidencial, omitiendo cualquier co... • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2777 •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2022-34174 – jenkins: Observable timing discrepancy allows determining username validity
https://notcve.org/view.php?id=CVE-2022-34174
22 Jun 2022 — In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. En Jenkins versiones 2.355 y anteriores, LTS versiones 2.332.3 y anteriores, una discrepancia de tiempo observable en el formulario de inicio de sesión permite distinguir entre los intentos de inicio de sesión con un nomb... • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 5.4EPSS: 6%CPEs: 1EXPL: 0CVE-2022-34173
https://notcve.org/view.php?id=CVE-2022-34173
22 Jun 2022 — In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. En Jenkins versiones 2.340 hasta 2.355 (ambas incluyéndolas) el tooltip del botón de construcción en las visualizaciones de lista soporta HTML sin escapar el nombre de visualización del trabajo, resultando en una vulnerabilidad de tipo cross-site script... • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 2%CPEs: 1EXPL: 0CVE-2022-34172
https://notcve.org/view.php?id=CVE-2022-34172
22 Jun 2022 — In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability. En Jenkins versiones 2.340 hasta 2.355 (ambas incluyéndolas) los iconos basados en símbolos no escapan los valores previamente escapados de los parámetros "tooltip", resultando en una vulnerabilidad de tipo cross-site scripting (XSS) • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 5%CPEs: 2EXPL: 0CVE-2022-34171
https://notcve.org/view.php?id=CVE-2022-34171
22 Jun 2022 — In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. En Jenkins versiones 2.321 hasta 2.355 (ambas incluyéndolas) y LTS 2.332.1 hasta LTS 2.332.3 (ambas incluyéndolas) la salida HTML generada para nuevo... • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 3%CPEs: 2EXPL: 0CVE-2022-34170
https://notcve.org/view.php?id=CVE-2022-34170
22 Jun 2022 — In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. En Jenkins versiones 2.320 hasta 2.355 (ambas incluyéndolas) y LTS versiones 2.332.1 hasta LTS 2.332.3 (ambas incluyéndolas), el icono de ayuda no escapa el nombre de la caract... • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •