CVE-2024-28155
https://notcve.org/view.php?id=CVE-2024-28155
Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. El complemento Jenkins AppSpider 1.0.16 y versiones anteriores no realiza comprobaciones de permisos en varios endpoints HTTP, lo que permite a los atacantes con permiso general/lectura obtener información sobre los nombres de configuraciones de escaneo disponibles, nombres de grupos de motores y nombres de clientes. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3144 •
CVE-2023-32999
https://notcve.org/view.php?id=CVE-2023-32999
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121 • CWE-276: Incorrect Default Permissions •
CVE-2023-32998
https://notcve.org/view.php?id=CVE-2023-32998
A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-2314
https://notcve.org/view.php?id=CVE-2020-2314
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. Jenkins AppSpider Plugin versiones 1.0.12 y anteriores, almacena una contraseña sin cifrar en su archivo de configuración global en el controlador de Jenkins, donde puede ser visualizado por parte de los usuarios con acceso al sistema de archivos del controlador de Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2058 • CWE-522: Insufficiently Protected Credentials •