(1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2) lib/backup/cli/utility.rb in the backup_checksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by list…
[point-cli] point-cli allows local users to obtain sensitive information by listing the process
lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-4997
http://ww…
[kajam] kajam allows local users to obtain sensitive information by listing the process
vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local use…
[lean-ruport] lean-ruport allows local users to obtain sensitive information by listing the process
test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
References
https://nvd.nist.gov/vuln/detail/CVE-20…
[se.diabol.jenkins.pipeline:delivery-pipeline-plugin] Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter ‘fullscreen’ in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. Version 1.0.8 of the plug…
[ldap_fluff] ldap_fluff authentication bypass
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-5604
https:/…
[org.jenkins-ci.plugins:cucumber-living-documentation] Jenkins Cucumber Living Documentation Plugin Cross-site Scripting vulnerability
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing att…
[org.jenkins-ci.plugins:reverse-proxy-auth-plugin] Jenkins Reverse Proxy Auth Plugin allows attackers with local file system access to obtain a list of authorities for logged in users
An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealm#authContext that allows attackers with local file system access to obtain a list of authorities for logged in user…
[org.jenkins-ci.plugins:vsphere-cloud] Jenkins vSphere Plugin disables SSL/TLS certificate validation by default
A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by default.
References
https:…
[org.jenkins-ci.plugins:google-login] Jenkins Google Login Plugin Open Redirect vulnerability
An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. Google Login Plugin 1.3.1 only performs redirects t…