A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2268
ht…
A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2…
Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
References
https://nvd….
Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
References
https://nvd.nist.gov…
computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
computer-queue-plugin Plugin 1.6 escape…
Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view an administrative configuration page.
Health Advisor by CloudBees Plugin …
Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.
This results in a stored cross-site scr…
Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission…
Updated 2020-09-16
This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it.
Original Description
Blue Ocean Plugin 1.23.2 and earlier does not perform p…
Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins …
