Vulnerabilites related to jenkins - github_pull_request_builder
cve-2018-1000186
Vulnerability from cvelistv5
Published
2018-06-05 20:00
Modified
2024-09-16 22:36
Severity ?
EPSS score ?
Summary
A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T12:40:46.854Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], dateAssigned: "2018-06-05T00:00:00", descriptions: [ { lang: "en", value: "A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-06-05T20:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", DATE_ASSIGNED: "2018-06-05T12:46:01.943019", DATE_REQUESTED: "2018-06-05T00:00:00", ID: "CVE-2018-1000186", REQUESTER: "ml@beckweb.net", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805", refsource: "CONFIRM", url: "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-1000186", datePublished: "2018-06-05T20:00:00Z", dateReserved: "2018-06-05T00:00:00Z", dateUpdated: "2024-09-16T22:36:38.384Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1000142
Vulnerability from cvelistv5
Published
2018-04-05 13:00
Modified
2024-09-16 20:16
Severity ?
EPSS score ?
Summary
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T12:33:49.332Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], dateAssigned: "2018-04-05T00:00:00", descriptions: [ { lang: "en", value: "An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-04-05T13:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", DATE_ASSIGNED: "2018-04-05", ID: "CVE-2018-1000142", REQUESTER: "ml@beckweb.net", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261", refsource: "CONFIRM", url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-1000142", datePublished: "2018-04-05T13:00:00Z", dateReserved: "2018-04-05T00:00:00Z", dateUpdated: "2024-09-16T20:16:33.257Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1000143
Vulnerability from cvelistv5
Published
2018-04-05 13:00
Modified
2024-09-16 19:40
Severity ?
EPSS score ?
Summary
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T12:33:49.331Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], dateAssigned: "2018-04-05T00:00:00", descriptions: [ { lang: "en", value: "An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-04-05T13:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", DATE_ASSIGNED: "2018-04-05", ID: "CVE-2018-1000143", REQUESTER: "ml@beckweb.net", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262", refsource: "CONFIRM", url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-1000143", datePublished: "2018-04-05T13:00:00Z", dateReserved: "2018-04-05T00:00:00Z", dateUpdated: "2024-09-16T19:40:27.564Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-24436
Vulnerability from cvelistv5
Published
2023-01-24 00:00
Modified
2024-08-02 10:56
Severity ?
EPSS score ?
Summary
A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins Project | Jenkins GitHub Pull Request Builder Plugin |
Version: unspecified < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.180Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%281%29", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins GitHub Pull Request Builder Plugin", vendor: "Jenkins Project", versions: [ { lessThanOrEqual: "1.42.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "unknown", version: "next of 1.42.2", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.", }, ], providerMetadata: { dateUpdated: "2023-10-24T12:48:26.270Z", orgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", shortName: "jenkins", }, references: [ { url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%281%29", }, ], }, }, cveMetadata: { assignerOrgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", assignerShortName: "jenkins", cveId: "CVE-2023-24436", datePublished: "2023-01-24T00:00:00", dateReserved: "2023-01-23T00:00:00", dateUpdated: "2024-08-02T10:56:04.180Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-24434
Vulnerability from cvelistv5
Published
2023-01-24 00:00
Modified
2024-08-02 10:56
Severity ?
EPSS score ?
Summary
A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins Project | Jenkins GitHub Pull Request Builder Plugin |
Version: unspecified < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.192Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins GitHub Pull Request Builder Plugin", vendor: "Jenkins Project", versions: [ { lessThanOrEqual: "1.42.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "unknown", version: "next of 1.42.2", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, ], providerMetadata: { dateUpdated: "2023-10-24T12:48:24.000Z", orgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", shortName: "jenkins", }, references: [ { url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, ], }, }, cveMetadata: { assignerOrgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", assignerShortName: "jenkins", cveId: "CVE-2023-24434", datePublished: "2023-01-24T00:00:00", dateReserved: "2023-01-23T00:00:00", dateUpdated: "2024-08-02T10:56:04.192Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-24435
Vulnerability from cvelistv5
Published
2023-01-24 00:00
Modified
2024-08-02 10:56
Severity ?
EPSS score ?
Summary
A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins Project | Jenkins GitHub Pull Request Builder Plugin |
Version: unspecified < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:03.902Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jenkins GitHub Pull Request Builder Plugin", vendor: "Jenkins Project", versions: [ { lessThanOrEqual: "1.42.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "unknown", version: "next of 1.42.2", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, ], providerMetadata: { dateUpdated: "2023-10-24T12:48:25.137Z", orgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", shortName: "jenkins", }, references: [ { url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, ], }, }, cveMetadata: { assignerOrgId: "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", assignerShortName: "jenkins", cveId: "CVE-2023-24435", datePublished: "2023-01-24T00:00:00", dateReserved: "2023-01-23T00:00:00", dateUpdated: "2024-08-02T10:56:03.902Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2018-06-05 20:29
Modified
2024-11-21 03:39
Severity ?
Summary
A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | github_pull_request_builder | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:github_pull_request_builder:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "C57C3E96-6A2A-4F81-B5B0-4D324C28977C", versionEndIncluding: "1.41.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, { lang: "es", value: "Existe una vulnerabilidad de exposición de información sensible en el plugin GitHub Pull Request Builder 1.41.0 y anteriores de Jenkins en GhprbGitHubAuth.java que permite que los atacantes con acceso Overall/Read se conecten a un URL especificado por el atacante, usando ID de credenciales especificadas por el atacante obtenidos a través de otro método, capturando las credenciales almacenadas en Jenkins.", }, ], id: "CVE-2018-1000186", lastModified: "2024-11-21T03:39:53.023", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-06-05T20:29:00.560", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-805", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-04-05 13:29
Modified
2024-11-21 03:39
Severity ?
Summary
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | github_pull_request_builder | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:github_pull_request_builder:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "17E65397-A3F9-459C-9360-FD6506BC10E6", versionEndIncluding: "1.39.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.", }, { lang: "es", value: "Existe una vulnerabilidad de exposición de información sensible en el plugin GitHub Pull Request Builder en Jenkins, en versiones 1.39.0 y anteriores, en GhprbCause.java que permite que un atacante con acceso al sistema de archivos local obtenga credenciales GitHub.", }, ], id: "CVE-2018-1000142", lastModified: "2024-11-21T03:39:46.627", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-04-05T13:29:00.213", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-26 21:18
Modified
2024-11-21 07:47
Severity ?
Summary
A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | github_pull_request_builder | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:github_pull_request_builder:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "973ABDA3-D711-44D4-BAFE-85C0E60F5BA4", versionEndIncluding: "1.42.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, { lang: "es", value: "Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento GitHub Pull Request Builder de Jenkins en su versión 1.42.2 y anteriores permite a los atacantes conectarse a una URL especificada por el atacante utilizando ID de credenciales especificadas por el atacante obtenidas a través de otro método, capturando las credenciales almacenadas en Jenkins.", }, ], id: "CVE-2023-24434", lastModified: "2024-11-21T07:47:51.600", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-26T21:18:17.457", references: [ { source: "jenkinsci-cert@googlegroups.com", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, ], sourceIdentifier: "jenkinsci-cert@googlegroups.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-26 21:18
Modified
2024-11-21 07:47
Severity ?
Summary
A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | github_pull_request_builder | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:github_pull_request_builder:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "973ABDA3-D711-44D4-BAFE-85C0E60F5BA4", versionEndIncluding: "1.42.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", }, { lang: "es", value: "Una verificación de permiso faltante en el complemento GitHub Pull Request Builder de Jenkins en su versión 1.42.2 y anteriores permite a los atacantes con permiso general/lectura conectarse a una URL especificada por el atacante utilizando ID de credenciales especificadas por el atacante obtenidas a través de otro método, capturando las credenciales almacenadas en Jenkins.", }, ], id: "CVE-2023-24435", lastModified: "2024-11-21T07:47:51.713", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-26T21:18:17.537", references: [ { source: "jenkinsci-cert@googlegroups.com", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%282%29", }, ], sourceIdentifier: "jenkinsci-cert@googlegroups.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-26 21:18
Modified
2024-11-21 07:47
Severity ?
Summary
A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | github_pull_request_builder | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:github_pull_request_builder:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "973ABDA3-D711-44D4-BAFE-85C0E60F5BA4", versionEndIncluding: "1.42.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.", }, { lang: "es", value: "Una verificación de permiso faltante en el complemento GitHub Pull Request Builder de Jenkins en su versión 1.42.2 y anteriores permite a atacantes con permiso general/lectura enumerar los ID de las credenciales almacenadas en Jenkins.", }, ], id: "CVE-2023-24436", lastModified: "2024-11-21T07:47:51.827", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-26T21:18:17.600", references: [ { source: "jenkinsci-cert@googlegroups.com", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%281%29", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2789%20%281%29", }, ], sourceIdentifier: "jenkinsci-cert@googlegroups.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-04-05 13:29
Modified
2024-11-21 03:39
Severity ?
Summary
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | github_pull_request_builder | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:github_pull_request_builder:*:*:*:*:*:jenkins:*:*", matchCriteriaId: "17E65397-A3F9-459C-9360-FD6506BC10E6", versionEndIncluding: "1.39.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials.", }, { lang: "es", value: "Existe una vulnerabilidad de exposición de información sensible en el plugin GitHub Pull Request Builder en Jenkins, en versiones 1.39.0 y anteriores, en GhprbCause.java que permite que un atacante con acceso al sistema de archivos local obtenga credenciales GitHub.", }, ], id: "CVE-2018-1000143", lastModified: "2024-11-21T03:39:46.800", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 0.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-04-05T13:29:00.307", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }