CVE-2023-40339 – jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin
https://notcve.org/view.php?id=CVE-2023-40339
Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. A flaw was found in the Config File Provider Jenkins Plugin. Affected versions of this plugin do not mask (replace with asterisks) credentials specified in configuration files when they're written to the build log. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090 https://access.redhat.com/security/cve/CVE-2023-40339 https://bugzilla.redhat.com/show_bug.cgi?id=2232423 •
CVE-2021-21645 – jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
https://notcve.org/view.php?id=CVE-2021-21645
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs. Jenkins Config File Provider Plugin versiones 3.7.0 y anteriores, no lleva a cabo comprobaciones de permisos en varios endpoints HTTP, unos atacantes con permiso general y lectura para enumerar los ID de los archivos de configuración A flaw was found in the config-file-provider Jenkins plugin. The plugin does not perform permission checks in several HTTP endpoints, as a consequence an attacker with Overall/Read permission is allowed to enumerate configuration file IDs. • http://www.openwall.com/lists/oss-security/2021/04/21/2 https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2203 https://access.redhat.com/security/cve/CVE-2021-21645 https://bugzilla.redhat.com/show_bug.cgi?id=1952152 • CWE-281: Improper Preservation of Permissions •
CVE-2021-21644 – jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
https://notcve.org/view.php?id=CVE-2021-21644
A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Config File Provider Plugin versiones 3.7.0 y anteriores, permite a atacantes eliminar los archivos de configuración correspondientes a un ID especificado por el atacante A cross-site request forgery (CSRF) vulnerability was found in the config-file-provider Jenkins plugin. The plugin does not require POST requests for an HTTP endpoint which allows attackers to delete configuration files corresponding to an attacker-specified ID. • http://www.openwall.com/lists/oss-security/2021/04/21/2 https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2202 https://access.redhat.com/security/cve/CVE-2021-21644 https://bugzilla.redhat.com/show_bug.cgi?id=1952151 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-21642 – jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
https://notcve.org/view.php?id=CVE-2021-21642
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Jenkins Config File Provider Plugin versiones 3.7.0 y anteriores, no configuran su analizador XML para evitar ataques de tipo XML external entity (XXE) A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn't configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. • http://www.openwall.com/lists/oss-security/2021/04/21/2 https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204 https://access.redhat.com/security/cve/CVE-2021-21642 https://bugzilla.redhat.com/show_bug.cgi?id=1952146 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2021-21643 – jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints.
https://notcve.org/view.php?id=CVE-2021-21643
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Jenkins Config File Provider Plugin versiones 3.7.0 y anteriores, no lleva a cabo apropiadamente unas comprobaciones de permisos en varios endpoints HTTP, lo que permite a atacantes con permiso global Job/Configure enumerar unas ID de credenciales del ámbito del sistema de las credenciales almacenadas en Jenkins A flaw was found in the config-file-provider Jenkins plugin. The plugin does not correctly perform permission checks in several HTTP endpoints, as a consequence an attacker with global Job/Configure permission can enumerate system-scoped credentials IDs of credentials stored in Jenkins. • http://www.openwall.com/lists/oss-security/2021/04/21/2 https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2254 https://access.redhat.com/security/cve/CVE-2021-21643 https://bugzilla.redhat.com/show_bug.cgi?id=1952148 • CWE-281: Improper Preservation of Permissions •