TechMedia – Page 81978

[org.jenkins-ci.plugins:logstash] Credentials transmitted in plain text by Jenkins Logstash Plugin

Posted inLOW
Posted byWpmaster
05/25/202201/14/2023

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.
While the credentials are stored encrypted on disk, they are transmitted in p…

[org.jenkins-ci.plugins:rundeck] XXE vulnerability in Rundeck Plugin

Posted inHIGH
Posted byWpmaster
05/25/202201/14/2023

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extr…

[org.jenkins-ci.plugins:zephyr-enterprise-test-management] Credentials stored in plain text by Zephyr Enterprise Test Management Plugin

Posted inLOW
Posted byWpmaster
05/25/202201/14/2023

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins contr…

[fr.edf.jenkins.plugins:mac] CSRF vulnerability in Mac Plugin

A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2147
https://…

[org.jenkins-ci.plugins:repository-connector] Credentials transmitted in plain text by Repository Connector Plugin

Posted inLOW
Posted byWpmaster
05/25/202201/14/2023

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.
While the credentials are stored encrypted …

[org.jenkins-ci.plugins:quality-gates] Jenkins Quality Gates Plugin transmits credentials in plain text during configuration

Posted inLOW
Posted byWpmaster
05/25/202201/07/2023

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in p…

[org.jenkins-ci.plugins:sonar-quality-gates] Jenkins Sonar Quality Gates Plugin transmits credentials in plain text during configuration

Posted inLOW
Posted byWpmaster
05/25/202201/07/2023

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transm…

[org.jenkins-ci.plugins:cobertura] XXE vulnerability in Jenkins Cobertura Plugin

Posted inHIGH
Posted byWpmaster
05/25/202201/06/2023

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the ‘Publish Cobertura Coverage Report’ post-build step to have Jenkins parse a cra…

[org.jenkins-ci.plugins:cobertura] Arbitrary file write vulnerability in Jenkins Cobertura Plugin

An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system. Cobertura Plugin 1.16 sanitizes the file path…

[org.jenkins-ci.plugins:audit-trail] XSS vulnerability in Jenkins Audit Trail Plugin

Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. Audit Trail Plugin 3.3 escapes the affected part of the error message….