CVE-2022-20613
https://notcve.org/view.php?id=CVE-2022-20613
A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Jenkins Mailer versiones 391.ve4a_38c1b_cf4b_ y anteriores, permite a atacantes usar el DNS usado por la instancia Jenkins para resolver un nombre de host especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-20614
https://notcve.org/view.php?id=CVE-2022-20614
A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Una comprobación de permiso faltante en el plugin Jenkins Mailer versiones 391.ve4a_38c1b_cf4b_ y anteriores, permite a atacantes con acceso Overall/Read usar el DNS usado por la instancia Jenkins para resolver un nombre de host especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-862: Missing Authorization •
CVE-2020-2252 – jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM
https://notcve.org/view.php?id=CVE-2020-2252
Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. Jenkins Mailer Plugin versiones 1.32 y anteriores, no lleva a cabo la comprobación del hostname cuando se conecta al servidor SMTP configurado • http://www.openwall.com/lists/oss-security/2020/09/16/3 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1813 https://access.redhat.com/security/cve/CVE-2020-2252 https://bugzilla.redhat.com/show_bug.cgi?id=1880454 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVE-2017-2651
https://notcve.org/view.php?id=CVE-2017-2651
jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses. jenkins-mailer-plugin en versiones anteriores a la 1.20 es vulnerable a una divulgación de información mientras usa la característica para enviar correos electrónicos a una lista de usuarios creada dinámicamente basada en los changelogs. Esto podría en algunos casos resultar en el envío de correos electrónicos a personas que no tienen una cuenta de usuario en Jenkins, y en casos raros incluso a personas que no estaban involucradas en algún proyecto que se estuviera desarrollando, debido a algún mapeo basado en la parte local de las direcciones de correo electrónico. • http://www.securityfocus.com/bid/96984 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2651 https://jenkins.io/security/advisory/2017-03-20 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-8718 – Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)
https://notcve.org/view.php?id=CVE-2018-8718
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el plugin Mailer 1.20 para Jenkins 2.111 permite que usuarios autenticados remotos envíen correos no autorizados como un usuario arbitrario mediante una petición /descriptorByName/hudson.tasks.Mailer/sendTestMail. Jenkins Mailer plugin versions prior to 1.20 suffer from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/44843 https://github.com/GeunSam2/CVE-2018-8718 http://www.openwall.com/lists/oss-security/2018/03/26/3 http://www.securityfocus.com/bid/103691 https://jenkins.io/security/advisory/2018-03-26 • CWE-352: Cross-Site Request Forgery (CSRF) •