News aggregator

CVE-2018-1000194

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
Categories: Security News

CVE-2018-1000195

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
Categories: Security News

CVE-2018-1000196

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.
Categories: Security News

CVE-2018-1000197

National Vulnerability Database - Tue, 06/05/2018 - 17:29
An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration.
Categories: Security News

CVE-2018-1000198

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document.
Categories: Security News

CVE-2018-1000202

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
Categories: Security News

CVE-2018-10057

National Vulnerability Database - Tue, 06/05/2018 - 17:29
The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal).
Categories: Security News

CVE-2018-10058

National Vulnerability Database - Tue, 06/05/2018 - 17:29
The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the addpool, failover-only, poolquota, and save command handlers.
Categories: Security News

CVE-2018-11586

National Vulnerability Database - Tue, 06/05/2018 - 17:29
XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Categories: Security News

CVE-2018-3691

National Vulnerability Database - Tue, 06/05/2018 - 17:29
Some implementations in Intel Integrated Performance Primitives Cryptography Library before version 2018 U2.1 do not properly ensure constant execution time.
Categories: Security News

CVE-2017-7653

National Vulnerability Database - Tue, 06/05/2018 - 16:29
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.
Categories: Security News

CVE-2017-7654

National Vulnerability Database - Tue, 06/05/2018 - 16:29
In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.
Categories: Security News

CVE-2018-1000182

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Categories: Security News

CVE-2018-1000183

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Categories: Security News

CVE-2018-1000184

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Categories: Security News

CVE-2018-1000185

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Categories: Security News

CVE-2018-1000186

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Categories: Security News

CVE-2018-1000187

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
Categories: Security News

CVE-2018-1000188

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Categories: Security News

CVE-2018-1000189

National Vulnerability Database - Tue, 06/05/2018 - 16:29
A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master.
Categories: Security News

Pages