Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
The cr…
[org.jenkins-ci.plugins:delphix] Jenkins Delphix Plugin vulnerable to Cleartext credential storage
Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10453
https://je…
[org.jenkins-ci.plugins:icescrum] Jenkins iceScrum Plugin vulnerable to Cross-site Request Forgery
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin prior to version 1.1.6 allows attackers to connect to an attacker-specified URL using attacker-specified credentials. This issue is patched in version 1.1.6
References
https://nvd.n…
[org.jenkins-ci.plugins:icescrum] Jenkins iceScrum Plugin stores credentials in Cleartext
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
References
https://nvd.nist….
[com.mtvi.plateng.hudson:ldapemail] Jenkins LDAP Email Plugin shows plain text password in configuration form
Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10434
https://jenkins.io/security/…
[pterodactyl/panel] Pterodactyl vulnerable to 2FA Sniffing
Pterodactyl version 0.7.13 and lower – 2FA Sniffing
Users who have enabled 2FA protections on their account can unintentionally have their account’s existence sniffed by malicious users who enter random credentials into the login fields.
Impact
Users w…
[werkzeug] Pallets Werkzeug vulnerable to Path Traversal
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-14322
https://palletsprojects.com/blog/werkzeug-0-15-5-released/
http://packetstorms…
[org.jenkins-ci.plugins:depgraph-view] Jenkins Dependency Graph Viewer Plugin contains Cross-site Scripting
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
References
…
[io.jenkins.plugins:embeddable-build-status-plugin] Jenkins Embeddable Build Status Plugin contains Cross-site Scripting
A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10…
[io.jenkins.docker:docker-plugin] Jenkins Docker Plugin contains Cross-Site Request Forgery
A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs o…