Search for packages
| purl | pkg:rpm/redhat/jenkins-2-plugins@4.12.1706515741-1?arch=el8 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17sn-57uv-gkg3
Aliases: CVE-2023-40338 GHSA-36hq-v2fc-rpqp |
Jenkins Folders Plugin information disclosure vulnerability Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system. | There are no reported fixed by versions. |
|
VCID-2a3h-6wad-63gc
Aliases: CVE-2023-37947 GHSA-35gf-xjgf-96c5 |
URL Redirection to Untrusted Site ('Open Redirect') Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | There are no reported fixed by versions. |
|
VCID-5bu5-5b6n-nuft
Aliases: CVE-2023-24422 GHSA-76qj-9gwh-pvv3 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | There are no reported fixed by versions. |
|
VCID-a1eu-yahc-ffgr
Aliases: CVE-2023-40337 GHSA-22c3-whjv-hrfm |
Cross-Site Request Forgery (CSRF) A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder. | There are no reported fixed by versions. |
|
VCID-fnpa-1sqy-u7hw
Aliases: CVE-2023-2976 GHSA-7g45-4rm6-3mm3 |
Guava vulnerable to insecure use of temporary directory Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. | There are no reported fixed by versions. |
|
VCID-h9yg-u3jh-mbfq
Aliases: CVE-2023-40339 GHSA-pv2g-vm98-vjxf |
Jenkins Config File Provider Plugin improper credential masking vulnerability Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | There are no reported fixed by versions. |
|
VCID-j456-xdn6-xyej
Aliases: CVE-2023-40341 GHSA-g4pq-p927-7pgg |
Cross-Site Request Forgery (CSRF) A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. | There are no reported fixed by versions. |
|
VCID-j584-bgww-z7fw
Aliases: CVE-2022-29599 GHSA-rhgr-952r-6p8q |
Command injection in Apache Maven maven-shared-utils In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. | There are no reported fixed by versions. |
|
VCID-j986-mtma-b3bw
Aliases: CVE-2022-42889 GHSA-599f-7c49-w659 |
Arbitrary code execution in Apache Commons Text Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | There are no reported fixed by versions. |
|
VCID-m3g5-ua28-afd2
Aliases: CVE-2021-26291 GHSA-2f88-5hg8-9x2x |
Origin Validation Error in Apache Maven Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html | There are no reported fixed by versions. |
|
VCID-mm3e-4pej-byed
Aliases: CVE-2022-25857 GHSA-3mc7-4q67-w48m |
Uncontrolled Resource Consumption in snakeyaml The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | There are no reported fixed by versions. |
|
VCID-pwtj-az3g-zka3
Aliases: CVE-2020-7692 GHSA-f263-c949-w85g |
Improper Authorization in Google OAuth Client PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. | There are no reported fixed by versions. |
|
VCID-quvj-3tpk-qug1
Aliases: CVE-2023-25761 GHSA-ph74-8rgx-64c5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin. | There are no reported fixed by versions. |
|
VCID-zxcj-h6nx-m7gq
Aliases: CVE-2023-25762 GHSA-9j65-3f2q-8q2r |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||