AVG-2678 log

Package jenkins
Status Not affected
Severity High
Type multiple issues
Affected 0.0.0-1
Fixed Not affected
Current 2.485-1 [extra]
Ticket None
Created Tue Apr 12 21:35:00 2022
Issue Severity Remote Type Description
CVE-2022-28160 Medium Yes Arbitrary filesystem access
Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller.
CVE-2022-28159 Medium Yes Cross-site scripting
Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored...
CVE-2022-28158 Medium Yes Information disclosure
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate...
CVE-2022-28157 Medium Yes Arbitrary file upload
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins...
CVE-2022-28156 Medium Yes Information disclosure
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the...
CVE-2022-28155 High Yes Xml external entity injection
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28154 High Yes Xml external entity injection
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28153 Medium Yes Cross-site scripting
Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS)...
CVE-2022-28152 Medium Yes Cross-site scripting
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default...
CVE-2022-28151 Medium Yes Access restriction bypass
A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and...
CVE-2022-28150 High Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and...
CVE-2022-28149 Medium Yes Cross-site scripting
Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross- site scripting...
CVE-2022-28148 Medium Yes Arbitrary filesystem access
The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting...
CVE-2022-28147 Medium Yes Information disclosure
A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check...
CVE-2022-28146 Medium Yes Arbitrary filesystem access
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins...
CVE-2022-28145 Medium Yes Cross-site scripting
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in...
CVE-2022-28144 Medium Yes Unknown
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to...
CVE-2022-28143 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker- specified host...
CVE-2022-28142 High Yes Unknown
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues.
CVE-2022-28141 Medium Yes Information disclosure
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it...
CVE-2022-28140 High Yes Xml external entity injection
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28139 Medium Yes Unknown
A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an...
CVE-2022-28138 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an...
CVE-2022-28137 Medium Yes Unknown
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect...
CVE-2022-28136 High Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an...
CVE-2022-28135 Medium Yes Information disclosure
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins...
CVE-2022-28134 Medium Yes Unknown
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with...
CVE-2022-28133 Medium Yes Cross-site scripting
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored...
Notes
plugins not packaged