Skip to content

TechMedia

Header Image
Archive

Month: May 2022

376 Posts

Featured

Posted byWpmaster
ウクライナ戦争に見るワイパー攻撃の実態とデジタル情報操作
Posted byWpmaster
「エースコンバット」と「トップガン マーヴェリック」が夢のコラボ!マーヴェリックスキンの「F-14A Tomcat」や「F/A-18E Super Hornet」が登場!
Posted byWpmaster
高橋幸宏、ソロ活動50周年記念!『T.E.N.T Years Vinyl Box』収録ライブ音源の詳細発表!
Posted byWpmaster
[camaleon_cms] Camaleon CMS Stored Cross-site Scripting vulnerability

[io.jenkins.plugins:warnings-ng] Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202212/15/2022

Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attac…

[org.jenkins-ci.plugins:aws-credentials] Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202212/15/2022

CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins if any of …

[org.jenkins-ci.plugins:matrix-auth] Incorrect permission checks in Jenkins Matrix Authorization Strategy Plugin may allow accessing some items

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202212/15/2022

Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well.
Matrix Authorization Strategy Plugin 2.6.5 and earlier d…

[Microsoft.NETCore.App.Runtime.linux-musl-x64] Denial of service in .NET core

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202211/02/2022

.NET Core and Visual Studio Denial of Service Vulnerability due to a vulnerability which exists when creating HTTPS web request during X509 certificate chain building.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-1721
https://portal.msrc.micro…

[org.jenkins-ci.plugins:claim] XSS vulnerability in Jenkins Claim Plugin

  • Posted inHIGH
  • Posted byWpmaster
  • 05/25/202212/21/2022

Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the securi…

[io.jenkins.plugins:artifact-repository-parameter] Stored XSS vulnerability in Jenkins Artifact Repository Parameter Plugin

  • Posted inHIGH
  • Posted byWpmaster
  • 05/25/202212/14/2022

Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Artifact Repository Param…

[org.jenkins-ci.main:jenkins-core] Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202212/14/2022

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2….

[cakephp/cakephp] CakePHP allows method override parameters to bypass CSRF checks

  • Posted inHIGH
  • Posted byWpmaster
  • 05/25/202201/14/2023

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request…

[org.jenkins-ci.plugins:bumblebee] Credentials stored in plain text by Jenkins Bumblebee HP ALM Plugin

  • Posted inLOW
  • Posted byWpmaster
  • 05/25/202212/21/2022

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.
These credentials can be viewed by u…

[org.jenkins-ci.main:jenkins-core] Excessive memory allocation in graph URLs leads to denial of service in Jenkins

  • Posted inMODERATE
  • Posted byWpmaster
  • 05/25/202212/14/2022

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query paramet…

Posts navigation

Previous Posts 1 … 5 6 7 8 9 … 38 Next Posts
TechMedia
WordPress theme by componentz

Archives

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Hit enter to search or ESC to close