Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for github by jenkins
CVE-2023-46650 (GCVE-0-2023-46650)
Vulnerability from nvd – Published: 2023-10-25 13:45 – Updated: 2025-02-13 17:14
VLAI?
Summary
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins Project | Jenkins GitHub Plugin |
Affected:
0 , ≤ 1.37.3
(maven)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-10-25",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/25/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:27:46.960467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:05:54.759Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins GitHub Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.37.3",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T13:50:06.262Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-10-25",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/10/25/2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-46650",
"datePublished": "2023-10-25T13:45:53.053Z",
"dateReserved": "2023-10-24T16:05:00.959Z",
"dateUpdated": "2025-02-13T17:14:26.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36885 (GCVE-0-2022-36885)
Vulnerability from nvd – Published: 2022-07-27 14:21 – Updated: 2024-08-03 10:14
VLAI?
Summary
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins project | Jenkins GitHub Plugin |
Affected:
unspecified , ≤ 1.34.4
(custom)
Unaffected: 1.34.3.1 Unaffected: 1.34.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:29.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
},
{
"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins GitHub Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "1.34.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.34.3.1"
},
{
"status": "unaffected",
"version": "1.34.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:23:58.571Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
},
{
"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-36885",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins GitHub Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.34.4"
},
{
"version_affected": "!",
"version_value": "1.34.3.1"
},
{
"version_affected": "!",
"version_value": "1.34.1.1"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208: Observable Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
},
{
"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-36885",
"datePublished": "2022-07-27T14:21:38.000Z",
"dateReserved": "2022-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T10:14:29.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000600 (GCVE-0-2018-1000600)
Vulnerability from nvd – Published: 2018-06-26 17:00 – Updated: 2024-09-16 23:01
VLAI?
Summary
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-26T17:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-1000600",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000600",
"datePublished": "2018-06-26T17:00:00.000Z",
"dateReserved": "2018-06-26T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:01:52.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000184 (GCVE-0-2018-1000184)
Vulnerability from nvd – Published: 2018-06-05 20:00 – Updated: 2024-09-16 22:56
VLAI?
Summary
A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-05T20:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-05T12:46:01.940841",
"DATE_REQUESTED": "2018-06-05T00:00:00",
"ID": "CVE-2018-1000184",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000184",
"datePublished": "2018-06-05T20:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:33.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000183 (GCVE-0-2018-1000183)
Vulnerability from nvd – Published: 2018-06-05 20:00 – Updated: 2024-09-17 03:07
VLAI?
Summary
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-05T20:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-05T12:46:01.939725",
"DATE_REQUESTED": "2018-06-05T00:00:00",
"ID": "CVE-2018-1000183",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000183",
"datePublished": "2018-06-05T20:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:07:20.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46650 (GCVE-0-2023-46650)
Vulnerability from cvelistv5 – Published: 2023-10-25 13:45 – Updated: 2025-02-13 17:14
VLAI?
Summary
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins Project | Jenkins GitHub Plugin |
Affected:
0 , ≤ 1.37.3
(maven)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-10-25",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/25/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:27:46.960467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:05:54.759Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins GitHub Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.37.3",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T13:50:06.262Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-10-25",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/10/25/2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-46650",
"datePublished": "2023-10-25T13:45:53.053Z",
"dateReserved": "2023-10-24T16:05:00.959Z",
"dateUpdated": "2025-02-13T17:14:26.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36885 (GCVE-0-2022-36885)
Vulnerability from cvelistv5 – Published: 2022-07-27 14:21 – Updated: 2024-08-03 10:14
VLAI?
Summary
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins project | Jenkins GitHub Plugin |
Affected:
unspecified , ≤ 1.34.4
(custom)
Unaffected: 1.34.3.1 Unaffected: 1.34.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:29.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
},
{
"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins GitHub Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "1.34.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.34.3.1"
},
{
"status": "unaffected",
"version": "1.34.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:23:58.571Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
},
{
"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-36885",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins GitHub Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.34.4"
},
{
"version_affected": "!",
"version_value": "1.34.3.1"
},
{
"version_affected": "!",
"version_value": "1.34.1.1"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208: Observable Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
},
{
"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-36885",
"datePublished": "2022-07-27T14:21:38.000Z",
"dateReserved": "2022-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T10:14:29.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000600 (GCVE-0-2018-1000600)
Vulnerability from cvelistv5 – Published: 2018-06-26 17:00 – Updated: 2024-09-16 23:01
VLAI?
Summary
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-26T17:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-1000600",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000600",
"datePublished": "2018-06-26T17:00:00.000Z",
"dateReserved": "2018-06-26T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:01:52.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000183 (GCVE-0-2018-1000183)
Vulnerability from cvelistv5 – Published: 2018-06-05 20:00 – Updated: 2024-09-17 03:07
VLAI?
Summary
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-05T20:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-05T12:46:01.939725",
"DATE_REQUESTED": "2018-06-05T00:00:00",
"ID": "CVE-2018-1000183",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000183",
"datePublished": "2018-06-05T20:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:07:20.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000184 (GCVE-0-2018-1000184)
Vulnerability from cvelistv5 – Published: 2018-06-05 20:00 – Updated: 2024-09-16 22:56
VLAI?
Summary
A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-05T20:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-05T12:46:01.940841",
"DATE_REQUESTED": "2018-06-05T00:00:00",
"ID": "CVE-2018-1000184",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000184",
"datePublished": "2018-06-05T20:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:33.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}