CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46657
https://notcve.org/view.php?id=CVE-2023-46657
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. El complemento Jenkins Gogs 1.0.15 y versiones anteriores utiliza una función de comparación de tiempo no constante al verificar si el token de webhook proporcionado y el esperado son iguales, lo que potencialmente permite a los atacantes usar métodos estadísticos para obtener un token de webhook válido. • http://www.openwall.com/lists/oss-security/2023/10/25/2 https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2896 • CWE-697: Incorrect Comparison •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40349
https://notcve.org/view.php?id=CVE-2023-40349
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2894 • CWE-665: Improper Initialization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40348
https://notcve.org/view.php?id=CVE-2023-40348
The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2894 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-10348 – Jenkins Gogs Cleartext Storage of Credentials Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-10348
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. El Plugin Gogs de Jenkins, almacenó credenciales sin cifrar en los archivos de trabajo config.xml en el maestro de Jenkins, donde pueden ser visualizadas por los usuarios con permiso de Lectura Extendida o con acceso al sistema de archivos maestro. This vulnerability allows local attackers to disclose sensitive information on affected installations of Jenkins Gogs. Authentication is required to exploit this vulnerability. The specific flaw exists within the Gogs plugin. The issue results from storing credentials in plaintext. • http://www.openwall.com/lists/oss-security/2019/07/11/4 http://www.securityfocus.com/bid/109156 https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438 https://www.zerodayinitiative.com/advisories/ZDI-19-837 • CWE-312: Cleartext Storage of Sensitive Information •