Summary
Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.
libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including…
[org.jvnet.hudson.plugins:storable-configs-plugin] XML External Entity Reference in Jenkins Storable Configs Plugin
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-30971
https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-19…
[org.jvnet.hudson.plugins:storable-configs-plugin] Cross Site Request Forgery in Jenkins Storable Configs Plugin
A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenki…
[org.jenkins-ci.plugins:autocomplete-parameter] Cross-site Scripting in Jenkins Autocomplete Parameter Plugin
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS)…
[org.jenkins-ci.plugins:autocomplete-parameter] Cross-Site Request Forgery in Jenkins Autocomplete Parameter Plugin
A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.
References
https://nvd.nist.gov/vuln/de…
[org.jenkins-ci.plugins:random-string-parameter] Cross-site Scripting in Jenkins Random String Parameter Plugin
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Ite…
[org.jenkins-ci.plugins:vboxwrapper] Cross-site Scripting in Jenkins vboxwrapper Plugin
Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure perm…
[io.jenkins.plugins:multiselect-parameter] Cross-site Scripting in Jenkins Multiselect parameter Plugin
Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Co…
[org.jvnet.hudson.plugins:selection-tasks-plugin] Cross site scripting in Jenkins Selection tasks Plugin
Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers…
[org.jenkins-ci.plugins:app-detector] Cross-site Scripting in Jenkins Application Detector Plugin
Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Con…