CVE-2023-49653
https://notcve.org/view.php?id=CVE-2023-49653
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. Jenkins Jira Plugin 3.11 y versiones anteriores no establecen el contexto apropiado para la búsqueda de credenciales, lo que permite a los atacantes con permiso Elemento/Configurar acceder y capturar credenciales a las que no tienen derecho. • http://www.openwall.com/lists/oss-security/2023/11/29/1 https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3225 • CWE-522: Insufficiently Protected Credentials •
CVE-2022-29041 – Jira: Stored XSS vulnerabilities in Jenkins Jira plugin
https://notcve.org/view.php?id=CVE-2022-29041
Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. El plugin Jenkins Jira versiones 3.7 y anteriores, excepto 3.6.1, no escapa el nombre y la descripción de los parámetros Jira Issue y Jira Release Version en las visualizaciones que muestran parámetros, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado que puede ser explotada por atacantes con permiso Item/Configure A flaw was found in the Jenkins Jira plugin. The Jenkins Jira plugin does not escape the name and description of a Jira Issue and Jira Release Version parameters on views displaying parameters. This issue results in a stored Cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. • https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617 https://access.redhat.com/security/cve/CVE-2022-29041 https://bugzilla.redhat.com/show_bug.cgi?id=2074850 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-43945
https://notcve.org/view.php?id=CVE-2021-43945
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos con permisos de administrador de hojas de ruta inyectar HTML o JavaScript arbitrarios por medio de una vulnerabilidad de tipo Cross-Site Scripting (SXSS) Almacenado en el endpoint /rest/jpo/1.0/hierarchyConfiguration. Las versiones afectadas son anteriores a versión 8.20.3. • https://jira.atlassian.com/browse/JRASERVER-73069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-43953
https://notcve.org/view.php?id=CVE-2021-43953
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a los atacantes remotos no autentificados cambiar la configuración de la retención de hilos y la monitorización de la CPU a través de una vulnerabilidad de falsificación de solicitud de sitio cruzado (CSRF) en el punto final /secure/admin/ViewInstrumentation.jspa. Las versiones afectadas son anteriores a la versión 8.13.16, y desde la versión 8.14.0 hasta la 8.20.5 • https://jira.atlassian.com/browse/JRASERVER-73170 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-43947
https://notcve.org/view.php?id=CVE-2021-43947
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos con privilegios de administrador ejecutar código arbitrario por medio de una vulnerabilidad de Ejecución de Código Remota (RCE) en la funcionalidad Email Templates. Este problema evita la corrección de https://jira.atlassian.com/browse/JSDSERVER-8665. • https://jira.atlassian.com/browse/JRASERVER-73067 •