All the vulnerabilites related to Jenkins Project - Jenkins NeuVector Vulnerability Scanner Plugin
cve-2023-49673
Vulnerability from cvelistv5
Published
2023-11-29 13:45
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins_project:jenkins_neuvector_vulnerability_scanner_plugin:1.22:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jenkins_neuvector_vulnerability_scanner_plugin",
"vendor": "jenkins_project",
"versions": [
{
"lessThanOrEqual": "1.22",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T15:17:02.508275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:22:50.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-11-29",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3256"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins NeuVector Vulnerability Scanner Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.22",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password."
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T13:45:12.847Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-11-29",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3256"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/29/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-49673",
"datePublished": "2023-11-29T13:45:12.847Z",
"dateReserved": "2023-11-29T10:34:02.383Z",
"dateUpdated": "2024-08-02T22:01:25.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-10430
Vulnerability from cvelistv5
Published
2019-09-25 15:05
Modified
2024-08-04 22:24
Severity ?
EPSS score ?
Summary
Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2019/09/25/3 | mailing-list, x_refsource_MLIST |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:18.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504"
},
{
"name": "[oss-security] 20190925 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins NeuVector Vulnerability Scanner Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:28.939Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504"
},
{
"name": "[oss-security] 20190925 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10430",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins NeuVector Vulnerability Scanner Plugin",
"version": {
"version_data": [
{
"version_value": "1.5 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-256"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504"
},
{
"name": "[oss-security] 20190925 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10430",
"datePublished": "2019-09-25T15:05:34",
"dateReserved": "2019-03-29T00:00:00",
"dateUpdated": "2024-08-04T22:24:18.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49674
Vulnerability from cvelistv5
Published
2023-11-29 13:45
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-11-29",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3256"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins NeuVector Vulnerability Scanner Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.22",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password."
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T13:45:13.482Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-11-29",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3256"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/29/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-49674",
"datePublished": "2023-11-29T13:45:13.482Z",
"dateReserved": "2023-11-29T10:34:02.383Z",
"dateUpdated": "2024-08-02T22:01:26.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-30517
Vulnerability from cvelistv5
Published
2023-04-12 17:05
Modified
2024-08-02 14:28
Severity ?
EPSS score ?
Summary
Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-04-12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2841"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/04/13/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Jenkins NeuVector Vulnerability Scanner Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.22",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T12:49:37.810Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-04-12",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2841"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/04/13/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-30517",
"datePublished": "2023-04-12T17:05:08.593Z",
"dateReserved": "2023-04-12T08:40:40.603Z",
"dateUpdated": "2024-08-02T14:28:51.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-43434
Vulnerability from cvelistv5
Published
2022-10-19 00:00
Modified
2024-08-03 13:32
Severity ?
EPSS score ?
Summary
Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:58.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865"
},
{
"name": "[oss-security] 20221019 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins NeuVector Vulnerability Scanner Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "1.20",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unknown",
"version": "next of 1.20",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:26:05.836Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865"
},
{
"name": "[oss-security] 20221019 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-43434",
"datePublished": "2022-10-19T00:00:00",
"dateReserved": "2022-10-18T00:00:00",
"dateUpdated": "2024-08-03T13:32:58.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}