{"vulnerability": "cve-2023-2790", "sightings": [{"uuid": "f81f6929-1c18-4d3b-abc5-333045e773a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "published-proof-of-concept", "source": "https://t.me/cKure/10774", "content": "\u25a0\u25a0\u25a0\u25a0\u25a1 CVE-2023-27898 and CVE-2023-27905: CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE.\n\nhttps://blog.aquasec.com/jenkins-server-vulnerabilities", "creation_timestamp": "2023-03-09T13:39:22.000000Z"}, {"uuid": "71dafd41-620b-4d00-a255-6e7289eba4fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27901", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5963", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-27901\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.\n\ud83d\udccf Published: 2023-03-08T17:14:50.696Z\n\ud83d\udccf Modified: 2025-02-28T18:45:56.466Z\n\ud83d\udd17 References:\n1. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030", "creation_timestamp": "2025-02-28T19:27:10.000000Z"}, {"uuid": "9baf8b5a-ac17-4500-b025-a78a2d82c632", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27904", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5959", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-27904\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.\n\ud83d\udccf Published: 2023-03-08T17:14:52.848Z\n\ud83d\udccf Modified: 2025-02-28T18:52:53.060Z\n\ud83d\udd17 References:\n1. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", "creation_timestamp": "2025-02-28T19:27:04.000000Z"}, {"uuid": "e028107a-5378-4d06-badb-e2067f360e56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27902", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5962", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-27902\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.\n\ud83d\udccf Published: 2023-03-08T17:14:51.451Z\n\ud83d\udccf Modified: 2025-02-28T18:48:21.844Z\n\ud83d\udd17 References:\n1. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807", "creation_timestamp": "2025-02-28T19:27:10.000000Z"}, {"uuid": "98f09eb3-9ac0-4194-b885-278705582ddb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27903", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5961", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-27903\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.\n\ud83d\udccf Published: 2023-03-08T17:14:52.143Z\n\ud83d\udccf Modified: 2025-02-28T18:50:23.901Z\n\ud83d\udd17 References:\n1. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", "creation_timestamp": "2025-02-28T19:27:06.000000Z"}, {"uuid": "3a7ec503-b510-4ae7-8f42-1efb603c7681", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27900", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5964", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-27900\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.\n\ud83d\udccf Published: 2023-03-08T17:14:49.805Z\n\ud83d\udccf Modified: 2025-02-28T18:43:28.521Z\n\ud83d\udd17 References:\n1. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030", "creation_timestamp": "2025-02-28T19:27:11.000000Z"}, {"uuid": "87b2d6df-5faf-48b5-b115-3e2ed682a13b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5957", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-27905\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.\n\ud83d\udccf Published: 2023-03-08T17:14:53.560Z\n\ud83d\udccf Modified: 2025-02-28T18:54:24.407Z\n\ud83d\udd17 References:\n1. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3063", "creation_timestamp": "2025-02-28T19:27:02.000000Z"}, {"uuid": "33ab5c63-e219-446b-bd25-6bc835df9f90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/163", "content": "CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE\n\n\ud83d\udc64 by Ilay Goldman and Yair Kadkoda\n\nAqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server.\n\n\ud83d\udcdd Contents:\n\u25cf The Research in a Nutshell\n\u25cf Frequently Asked Questions\n\u25cf Some Basic Jenkins Definitions\n\u25cf Improper Sanitation: The Jenkins Update Center\n\u25cf CVE-2023-27905\n\u25cf CVE-2023-27898\n\u25cf The Tiering Mechanism\n\u25cf From XSS to RCE\n\u25cf Bringing the malicious plugin to the front\n\u25cf Attack steps summary\n\u25cf Disclosure timeline\n\u25cf In Summary\n\nhttps://blog.aquasec.com/jenkins-server-vulnerabilities", "creation_timestamp": "2023-03-09T06:16:33.000000Z"}, {"uuid": "318ddd7d-c3a5-4024-8408-abc34ef20096", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "seen", "source": "Telegram/EVFHanXpzil_YJCHy-5hU_3a-Y6iLal6kWY8NjvP1rD2cgu-", "content": "", "creation_timestamp": "2025-03-02T11:45:39.000000Z"}, {"uuid": "853c8057-d793-4fd6-b166-52bef7dd2000", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27904", "type": "seen", "source": "Telegram/iPVcxoH8sPQP9s9fBQ1EzxFHRPe9jRAtxelt9HtGNiwZMtBN", "content": "", "creation_timestamp": "2025-03-02T11:45:39.000000Z"}, {"uuid": "e2cf5b47-30bb-40c0-8b27-8440ed1d3fc7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27903", "type": "seen", "source": "Telegram/najD0oIrjKHndOkHW4cpgqU4lDFPLZPEHoCxNO_eAVuLp9WW", "content": "", "creation_timestamp": "2025-03-02T11:45:39.000000Z"}, {"uuid": "a66e25c9-e56b-42ee-a672-895007275465", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27902", "type": "seen", "source": "Telegram/5-mpDTnXXmOOzF0rM84bEvk97ECOJWLAJocbT_s-tT0dSY-1", "content": "", "creation_timestamp": "2025-03-02T11:45:39.000000Z"}, {"uuid": "c550fa71-f14d-40dc-b448-541bbf373539", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27901", "type": "seen", "source": "Telegram/HCo7oBc9MuABAZ3fcQP6FO0F8XbROF3_F21Hr1OX3zJVvqUa", "content": "", "creation_timestamp": "2025-03-02T11:45:39.000000Z"}, {"uuid": "0b3d4ad1-f43c-4f86-b507-70748d5a0d58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27900", "type": "seen", "source": "Telegram/9mU-T56rdJAAG8DZW4GTKg2vS2llhDO6biCeQxdJmLS-toX0", "content": "", "creation_timestamp": "2025-03-02T11:45:39.000000Z"}, {"uuid": "21576a2c-2b31-4e25-aa24-22915cd2def3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "seen", "source": "https://t.me/KomunitiSiber/34", "content": "Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks\nhttps://thehackernews.com/2023/03/jenkins-security-alert-new-security.html\n\nA pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems.\nThe flaws, tracked as\u00a0CVE-2023-27898\u00a0and\u00a0CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened\u00a0CorePlague\u00a0by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are", "creation_timestamp": "2023-03-09T04:59:49.000000Z"}, {"uuid": "e58bb870-e3fd-4b79-9330-9ca27117a060", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "seen", "source": "https://t.me/arpsyndicate/1743", "content": "#ExploitObserverAlert\n\nCVE-2023-27905\n\nDESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-27905. Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.\n\nFIRST-EPSS: 0.000910000\nNVD-IS: 6.0\nNVD-ES: 2.8", "creation_timestamp": "2023-12-11T13:27:06.000000Z"}, {"uuid": "e44d2eb0-5137-4f8b-b9b9-e014a1897d82", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-2790", "type": "seen", "source": "https://t.me/cibsecurity/64400", "content": "\u203c CVE-2023-2790 \u203c\n\nA vulnerability classified as problematic has been found in TOTOLINK N200RE 9.3.5u.6255_B20211224. Affected is an unknown function of the file /squashfs-root/etc_ro/custom.conf of the component Telnet Service. The manipulation leads to password in configuration file. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. VDB-229374 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-18T16:32:06.000000Z"}, {"uuid": "e43fe1e7-c4ed-4abf-b46a-5e3dc575ea7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27907", "type": "seen", "source": "https://t.me/cibsecurity/62305", "content": "\u203c CVE-2023-27907 \u203c\n\nA malicious actor may convince a victim to open a malicious USD file that may trigger an out-of-bounds write vulnerability which may result in code execution.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-27T17:00:28.000000Z"}, {"uuid": "0fd2e2ea-b0e3-452d-93ad-02eb730eb520", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "seen", "source": "https://t.me/true_secator/4155", "content": "\u0412 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u043a\u043e\u0434\u043e\u043c Jenkins \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u043f\u0430\u0440\u0443 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430 \u0432 \u0446\u0435\u043b\u0435\u0432\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445.\n\n\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0438 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u044e\u0442\u0441\u044f \u043a\u0430\u043a CVE-2023-27898 \u0438 CVE-2023-27905 \u0438 \u0432\u043b\u0438\u044f\u044e\u0442 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 Jenkins \u0438 \u0426\u0435\u043d\u0442\u0440 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439.\n\n\u0421\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0441\u0442\u044b Aqua, \u0437\u0430\u043d\u0438\u043c\u0430\u044e\u0449\u0435\u0439\u0441\u044f \u043e\u0431\u043b\u0430\u0447\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c\u044e, \u0434\u0430\u043b\u0438 \u043e\u0431\u0449\u0435\u0435 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c CorePlague. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u043c \u043f\u043e\u0434\u0432\u0435\u0440\u0436\u0435\u043d\u044b \u0432\u0441\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 Jenkins \u0434\u043e 2.319.2.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u044d\u0442\u0438\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443, \u043d\u0435 \u043f\u0440\u043e\u0448\u0435\u0434\u0448\u0435\u043c\u0443 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 Jenkins \u0436\u0435\u0440\u0442\u0432\u044b, \u0447\u0442\u043e \u0432 \u0441\u0432\u043e\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u043f\u043e\u043b\u043d\u043e\u0439 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430.\n\n\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0438 \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b \u0441 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u043e\u0439 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0430\u0435\u043c\u044b\u0445 \u043c\u043e\u0434\u0443\u043b\u0435\u0439, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0432 \u0426\u0435\u043d\u0442\u0440\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439, \u0447\u0442\u043e \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0441\u0443\u0431\u044a\u0435\u043a\u0442\u0443 \u0443\u0433\u0440\u043e\u0437\u044b \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0430\u0435\u043c\u044b\u0439 \u043c\u043e\u0434\u0443\u043b\u044c \u0441 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0439 \u043f\u043e\u043b\u0435\u0437\u043d\u043e\u0439 \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u043e\u0439 \u0438 \u0438\u043d\u0438\u0446\u0438\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0445 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432 (XSS).\n\n\u0421\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0441\u0442\u044b \u043f\u043e\u044f\u0441\u043d\u0438\u043b\u0438, \u0447\u0442\u043e \u043a\u0430\u043a \u0442\u043e\u043b\u044c\u043a\u043e \u0436\u0435\u0440\u0442\u0432\u0430 \u043e\u0442\u043a\u0440\u043e\u0435\u0442 Available Plugin Manager \u043d\u0430 \u0441\u0432\u043e\u0435\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u0435 Jenkins, \u0442\u043e \u0441\u0440\u0430\u0437\u0443 \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u0441\u044f XSS, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f API \u043a\u043e\u043d\u0441\u043e\u043b\u0438 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432.\n\n\u041f\u0440\u0438\u0447\u0435\u043c \u044d\u0442\u043e \u0441\u043b\u0443\u0447\u0430\u0439 \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u043d\u043e\u0433\u043e XSS, \u043a\u043e\u0433\u0434\u0430 \u043a\u043e\u0434 JavaScript \u0432\u043d\u0435\u0434\u0440\u044f\u0435\u0442\u0441\u044f \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0430\u043a\u0442\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u043d\u0430 \u0431\u0435\u0437 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043f\u043b\u0430\u0433\u0438\u043d\u0430 \u0438\u043b\u0438 \u0434\u0430\u0436\u0435 \u0431\u0435\u0437 \u043f\u043e\u0441\u0435\u0449\u0435\u043d\u0438\u044f URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u043f\u043b\u0430\u0433\u0438\u043d\u0430.\n\n\u0422\u0440\u0435\u0432\u043e\u0436\u043d\u044b\u043c \u043c\u043e\u043c\u0435\u043d\u0442\u043e\u043c \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0442\u043e\u0442 \u0444\u0430\u043a\u0442, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u043d\u044b \u043f\u043e\u0432\u043b\u0438\u044f\u0442\u044c \u043d\u0430 \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Jenkins \u0438 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u044b \u0434\u0430\u0436\u0435 \u0432 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f\u0445, \u043a\u043e\u0433\u0434\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 \u043d\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u043c \u0447\u0435\u0440\u0435\u0437 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u0446\u0435\u043d\u0442\u0440 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 Jenkins \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c.\n\n\u041e\u0434\u043d\u0430\u043a\u043e \u0434\u043b\u044f \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0439 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u0442\u0430\u043a\u0438 \u043c\u043e\u0448\u0435\u043d\u043d\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u043f\u043b\u0430\u0433\u0438\u043d \u0434\u043e\u043b\u0436\u0435\u043d \u0431\u044b\u0442\u044c \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u0438\u043c \u0441 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c Jenkins \u0438 \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0430\u0442\u044c\u0441\u044f \u043f\u043e\u0432\u0435\u0440\u0445 \u043e\u0441\u043d\u043e\u0432\u043d\u043e\u0433\u043e \u043a\u0430\u043d\u0430\u043b\u0430 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 Available Plugin Manager.", "creation_timestamp": "2023-03-10T17:00:11.000000Z"}, {"uuid": "f36611c5-7bda-4fb4-b737-e961e5f14a0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27909", "type": "seen", "source": "https://t.me/cibsecurity/62313", "content": "\u203c CVE-2023-27909 \u203c\n\nAn Out-Of-Bounds Write Vulnerability in Autodesk\u00c2\u00ae FBX\u00c2\u00ae SDK version 2020 or prior may lead to code execution through maliciously crafted FBX files or information disclosure.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-18T00:28:46.000000Z"}, {"uuid": "ec5940c8-6e19-4214-86ea-680e0faf0d98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27906", "type": "seen", "source": "https://t.me/cibsecurity/62312", "content": "\u203c CVE-2023-27906 \u203c\n\nA malicious actor may convince a victim to open a malicious USD file that may trigger an out-of-bounds read vulnerability which may result in code execution.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-18T00:28:45.000000Z"}, {"uuid": "ef6422a9-de69-472d-adfc-417fd26d0474", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27903", "type": "seen", "source": "https://t.me/cibsecurity/59864", "content": "\u203c CVE-2023-27903 \u203c\n\nJenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-11T00:27:43.000000Z"}, {"uuid": "0c3d3088-4065-4f28-be01-4e6fe905c68b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27904", "type": "seen", "source": "https://t.me/cibsecurity/59863", "content": "\u203c CVE-2023-27904 \u203c\n\nJenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-11T00:27:42.000000Z"}, {"uuid": "1c0937ed-af1e-439f-8ed0-31e3b43b4d5d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27902", "type": "seen", "source": "https://t.me/cibsecurity/59856", "content": "\u203c CVE-2023-27902 \u203c\n\nJenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-11T00:27:35.000000Z"}, {"uuid": "33e29d87-843a-47c9-8243-545a08e8d54a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27901", "type": "seen", "source": "https://t.me/cibsecurity/59851", "content": "\u203c CVE-2023-27901 \u203c\n\nJenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-11T00:27:28.000000Z"}, {"uuid": "f9382dcf-b1e7-4e53-af30-5be7422f63f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-27905", "type": "seen", "source": "https://t.me/cibsecurity/59849", "content": "\u203c CVE-2023-27905 \u203c\n\nJenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-11T00:27:26.000000Z"}]}