16 results (0.004 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account. • http://www.openwall.com/lists/oss-security/2023/07/26/2 https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-2696 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. Jenkins GitLab Plugin versiones 1.5.35 y anteriores, usa una función de comparación de tiempo no constante cuando comprueba si el token de webhook proporcionado y el esperado son iguales, permitiendo potencialmente a atacantes usar métodos estadísticos para obtener un token de webhook válido • http://www.openwall.com/lists/oss-security/2022/10/19/3 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2877 • CWE-203: Observable Discrepancy •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins GitLab Plugin versiones 1.5.34 y anteriores, no escapa a los múltiples campos insertados en la descripción de las construcciones activadas por el webhook, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenada explotable por atacantes con permiso de Item/Configure • https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2316 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Jenkins GitLab Plugin versiones 1.5.31 y anteriores, no llevan a cabo una comprobación de permisos en un endpoint HTTP, lo que permite a atacantes con permiso Overall/Read enumerar los ID de las credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2753 • CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. El Plugin GitLab Authentication de Jenkins versiones 1.13 y anteriores, almacena el secreto del cliente de GitLab sin cifrar en el archivo global config.xml del controlador de Jenkins, donde puede ser visualizado por usuarios con acceso al sistema de archivos del controlador de Jenkins • http://www.openwall.com/lists/oss-security/2022/03/15/2 https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-1891 • CWE-522: Insufficiently Protected Credentials •