CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36889
https://notcve.org/view.php?id=CVE-2022-36889
Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service. Jenkins Deployer Framework Plugin versiones 85.v1d1888e8c021 y anteriores, no restringe la ruta de aplicación de las aplicaciones cuando es configurado un despliegue, permitiendo a atacantes con permiso de Item/Configure cargar archivos arbitrarios desde el sistema de archivos del controlador de Jenkins al servicio seleccionado • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2764 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36888
https://notcve.org/view.php?id=CVE-2022-36888
A missing permission check in Jenkins HashiCorp Vault Plugin 354.vdb_858fd6b_f48 and earlier allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys. Una falta de comprobación de permisos en Jenkins HashiCorp Vault Plugin versiones 354.vdb_858fd6b_f48 y anteriores, permite a atacantes con permiso Overall/Read obtener credenciales almacenadas en Vault con la ruta y las claves especificadas por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2593 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36887
https://notcve.org/view.php?id=CVE-2022-36887
A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier allows attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Job Configuration History Plugin versiones 1155.v28a_46a_cc06a_5 y anteriores, permite a atacantes eliminar entradas del historial de configuración de trabajos, agentes y sistemas, o restaurar versiones antiguas de configuraciones de trabajos, agentes y sistemas • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2766 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36886
https://notcve.org/view.php?id=CVE-2022-36886
A cross-site request forgery (CSRF) vulnerability in Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier allows attackers to create runs of an external job. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins External Monitor Job Type Plugin versiones 191.v363d0d1efdf8 y anteriores, permite a atacantes crear ejecuciones de un trabajo externo • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2762 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36885 – plugin: Non-constant time webhook signature comparison in GitHub Plugin
https://notcve.org/view.php?id=CVE-2022-36885
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. Jenkins GitHub Plugin versiones v1.34.4 y anteriores, usa una función de comparación de tiempo no constante cuando comprueba si las firmas de webhooks proporcionadas y calculadas son iguales, permitiendo a atacantes usar métodos estadísticos para obtener una firma de webhook válida • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849 https://access.redhat.com/security/cve/CVE-2022-36885 https://bugzilla.redhat.com/show_bug.cgi?id=2119658 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •