Skip to content

TechMedia

Header Image
Archive

Month: May 2022

376 Posts

Featured

Posted byWpmaster
ウクライナ戦争に見るワイパー攻撃の実態とデジタル情報操作
Posted byWpmaster
「エースコンバット」と「トップガン マーヴェリック」が夢のコラボ!マーヴェリックスキンの「F-14A Tomcat」や「F/A-18E Super Hornet」が登場!
Posted byWpmaster
高橋幸宏、ソロ活動50周年記念!『T.E.N.T Years Vinyl Box』収録ライブ音源の詳細発表!
Posted byWpmaster
[camaleon_cms] Camaleon CMS Stored Cross-site Scripting vulnerability

[org.jenkins-ci.plugins:pipeline-build-step] Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202201/14/2023

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions, allowing any user with Overall/Re…

[org.jenkins-ci.plugins:pipeline-githubnotify-step] Missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials

  • Posted inHIGH
  • Posted byWpmaster
  • 05/25/202201/14/2023

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, c…

[org.jenkins-ci.plugins:azure-ad] Client secret transmitted in plain text by Azure AD Plugin

  • Posted inLOW
  • Posted byWpmaster
  • 05/25/202201/14/2023

Azure AD Plugin stores a client secret in its global configuration.
While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of…

[org.jenkins-ci.plugins:nunit] XXE vulnerability in NUnit Plugin

  • Posted inHIGH
  • Posted byWpmaster
  • 05/25/202201/14/2023

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities fo…

[org.jenkins-ci.tools:git-parameter] Jenkins Git Parameter Plugin vulnerable to Stored cross-site scripting (XSS)

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202201/07/2023

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
References

https://nvd.nist.gov/vuln/detai…

[org.jenkins-ci.tools:git-parameter] Jenkins Git Parameter Plugin vulnerable to stored cross-site scripting (XSS)

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202201/07/2023

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
References

https://nvd.nist.gov/vuln/detail…

[org.jenkins-ci.plugins:s3] Jenkins S3 Publisher Plugin transmits credentials in plain text during configuration

  • Posted inLOW
  • Posted byWpmaster
  • 05/25/202201/07/2023

S3 Publisher Plugin stores a secret key in its global configuration. While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in expos…

[omniauth-weibo-oauth2] omniauth-weibo-oauth2 included a code-execution backdoor inserted by a third party

  • Posted inCRITICAL
  • Posted byWpmaster
  • 05/25/202201/27/2023

The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected.
References

https://nvd.nist.gov/vuln/detail/CVE-20…

[io.jenkins.plugins:code-coverage-api] Stored XSS vulnerability in Code Coverage API Plugin

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202212/20/2022

Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view.
This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration.
Code Cover…

[org.jenkins-ci.main:jenkins-core] Jenkins REST APIs vulnerable to clickjacking

  • Posted inLOW
  • Posted byWpmaster
  • 05/25/202212/20/2022

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the X-Frame-Options: deny HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web …

Posts navigation

Previous Posts 1 … 23 24 25 26 27 … 38 Next Posts
TechMedia
WordPress theme by componentz

Archives

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Hit enter to search or ESC to close