A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials st…
[org.jenkins-ci.plugins:windows-slaves] Missing Authorization in Jenkins WMI Windows Agents plugin
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they’re not allowed to log in. WMI Windows Agents Plugin 1.8.1 no lon…
[org.jenkins-ci.plugins:ssh] Missing Authorization in Jenkins SSH plugin
A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credenti…
[org.jenkins-ci.plugins:git] Path traversal in Jenkins Git Plugin
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects’ SCM …
[org.jenkins-ci.plugins:windows-slaves] Buffer overflow in Jenkins WMI Windows Agents plugin
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library which has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.
References
h…
[org.jenkins-ci.plugins:mercurial] Path traversal in Jenkins Mercurial Plugin
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects’ …
[github.com/coreos/ignition/v2] Configuration exposure in github.com/coreos/ignition
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat …
[github.com/hashicorp/vault] Improper configuration of multi factor authentication in hashicorp vault
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate E…
[pyftpdlib] Improper Authentication in pyftpdlib
ftpserver.py in pyftpdlib before 0.5.0 does not delay its response after receiving an invalid login attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.
References
https://nvd.nist.gov/vuln/detail/CVE-2008-726…
[pyftpdlib] Improper input validation in pyftpdlib
The ftp_QUIT function in ftpserver.py in pyftpdlib before 0.5.0 allows remote authenticated users to cause a denial of service (file descriptor exhaustion and daemon outage) by sending a QUIT command during a disallowed data-transfer attempt.
Reference…