CVE-2024-52552
https://notcve.org/view.php?id=CVE-2024-52552
Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. • https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-5273
https://notcve.org/view.php?id=CVE-2024-5273
Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path. El complemento Jenkins Report Info 1.2 y versiones anteriores no realiza la validación de la ruta del directorio del espacio de trabajo mientras sirve archivos de informes, lo que permite a los atacantes con permiso Item/Configure recuperar fallas de Surefire, violaciones de PMD, errores de Findbugs y errores de Checkstyle en el sistema de archivos del controlador editando el ruta del espacio de trabajo. • http://www.openwall.com/lists/oss-security/2024/05/24/2 https://www.jenkins.io/security/advisory/2024-05-24/#SECURITY-3070 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-34148
https://notcve.org/view.php?id=CVE-2024-34148
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'. El complemento Jenkins Subversion Partial Release Manager 1.0.1 y versiones anteriores deshabilita mediante programación la solución para CVE-2016-3721 cada vez que se activa una compilación desde una etiqueta de versión, estableciendo la propiedad del sistema Java 'hudson.model.ParametersAction.keepUndefinedParameters'. • http://www.openwall.com/lists/oss-security/2024/05/02/3 https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3331 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2024-34147
https://notcve.org/view.php?id=CVE-2024-34147
Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. Jenkins Telegram Bot Plugin 1.4.0 y versiones anteriores almacenan el token de Telegram Bot sin cifrar en su archivo de configuración global en el controlador de Jenkins, donde los usuarios con acceso al sistema de archivos del controlador de Jenkins pueden verlo. • http://www.openwall.com/lists/oss-security/2024/05/02/3 https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294 • CWE-522: Insufficiently Protected Credentials •
CVE-2024-28162
https://notcve.org/view.php?id=CVE-2024-28162
In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation. En Jenkins Delphix Plugin 3.0.1 a 3.1.0 (ambos inclusive), una opción global para que los administradores habiliten o deshabiliten la validación de certificados SSL/TLS para conexiones de la Torre de control de datos (DCT) no surte efecto hasta que se reinicia al cambiar de validación deshabilitada a validación habilitada. • http://www.openwall.com/lists/oss-security/2024/03/06/3 https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3330 • CWE-295: Improper Certificate Validation •