TechMedia – Page 81080

[com.hoiio.jenkins:sms] Access token stored in plain text by Jenkins SMS Notification Plugin

Posted inLOW
Posted byWpmaster
05/25/202212/22/2022

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.
This access token can be viewed by users wi…

[com.barchart.jenkins:maven-release-cascade] CSRF vulnerability in Jenkins Maven Cascade Release Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-22…

[com.barchart.jenkins:maven-release-cascade] Missing permission checks in Jenkins Maven Cascade Release Plugin

Jenkins Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.
References

http…

[org.jenkins-ci.plugins:persona] Arbitrary file read vulnerability in Jenkins Persona Plugin

Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2293
https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY…

[org.jenkins-ci.plugins:shared-objects] CSRF vulnerability in Jenkins Shared Objects Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2296
https://www.jenkins.io/security/advisory/2020-1…

[org.jenkins-ci.plugins:release] Stored XSS vulnerability in Jenkins Release Plugin

Posted inHIGH
Posted byWpmaster
05/25/202212/22/2022

Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.
References

https://nvd.nist.gov/vu…

[org.jenkins-ci.plugins:couchdb-statistics] Password stored in plain text by Jenkins couchdb-statistics Plugin

Posted inLOW
Posted byWpmaster
05/25/202212/22/2022

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.
This password can be viewed …

[org.biouno:uno-choice] Stored XSS vulnerability in Jenkins Active Choices Plugin

Posted inHIGH
Posted byWpmaster
05/25/202212/22/2022

Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5 esca…

[org.jenkins-ci.plugins:audit-trail] Incorrect default pattern in Jenkins Audit Trail Plugin

Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.
In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would …

[org.biouno:uno-choice] Stored XSS vulnerability in Jenkins Active Choices Plugin

Posted inHIGH
Posted byWpmaster
05/25/202212/22/2022

Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permis…