The Authlogic gem for Ruby on Rails prior to version 3.3.0 makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known sec…
[org.jenkins-ci.plugins:ssh-agent] Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log
An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugi…
[asciidoctor] Asciidoctor Infinite Loop vulnerability
Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial of service (infinite loop). The loop was caused by the fact that Parser.next_block was not exhausting all the lines in the reader as the while loop expected it would. This was…
[org.jenkins-ci.plugins:zos-connector] Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator’s web browser (e.g. malicious exte…
[org.jenkins-ci.plugins:vsphere-cloud] Jenkins vSphere Plugin incorrect authorization vulnerability
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSp…
[org.jenkins-ci.plugins:subversion] Jenkins Subversion Plugin Incorrect Authorization vulnerability
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users. As of v…
[org.jenkins-ci.plugins:coverity] Jenkins Coverity Plugin has Insufficiently Protected Credentials
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator’s web browser (e.g. malicious extension…
[org.jenkins-ci.plugins:google-play-android-publisher] Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials …
[org.jenkins-ci.plugins:build-publisher] Jenkins Build-Publisher plugin has Insufficiently Protected Credentials
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowin…
[org.jenkins-ci.plugins:parameterized-trigger] Parameterized Trigger Plugin fails to check Item/Build permission
Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. The plugin has been adapted to now check f…