An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java. SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed u…
[curl] curl FTP path confusion leads to NIL byte out of bounds write
curl can be coerced into writing a zero byte out of bounds.
This bug can trigger when curl is told to work on an FTP URL, with the setting to only issue a single CWD command (–ftp-method singlecwd or the libcurl alternative CURLOPT_FTP_FILEMETHOD).
cu…
[authlogic] Authlogic Information Exposure vulnerability
The Authlogic gem for Ruby on Rails prior to version 3.3.0 makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known sec…
[org.jenkins-ci.plugins:ssh-agent] Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log
An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugi…
[asciidoctor] Asciidoctor Infinite Loop vulnerability
Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial of service (infinite loop). The loop was caused by the fact that Parser.next_block was not exhausting all the lines in the reader as the while loop expected it would. This was…
[org.jenkins-ci.plugins:zos-connector] Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator’s web browser (e.g. malicious exte…
[org.jenkins-ci.plugins:vsphere-cloud] Jenkins vSphere Plugin incorrect authorization vulnerability
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSp…
[org.jenkins-ci.plugins:subversion] Jenkins Subversion Plugin Incorrect Authorization vulnerability
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users. As of v…
[org.jenkins-ci.plugins:coverity] Jenkins Coverity Plugin has Insufficiently Protected Credentials
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator’s web browser (e.g. malicious extension…
[org.jenkins-ci.plugins:google-play-android-publisher] Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials …