» 2019 » 4월

CVE-2015-9286

Posted on 2019년 4월 30일2019년 5월 1일 by admin

CVE-2015-9286

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

Source: CVE-2015-9286

CVE-2019-10313

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10313

Jenkins Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Source: CVE-2019-10313

CVE-2019-10308

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10308

A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users.

Source: CVE-2019-10308

CVE-2019-10318

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10318

Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.

Source: CVE-2019-10318

CVE-2019-10316

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10316

Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Source: CVE-2019-10316

CVE-2019-10307

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10307

A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.

Source: CVE-2019-10307

CVE-2019-10317

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10317

Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.

Source: CVE-2019-10317

CVE-2019-10311

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10311

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Source: CVE-2019-10311

CVE-2019-10312

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10312

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

Source: CVE-2019-10312

CVE-2019-10309

Posted on 2019년 4월 30일2019년 4월 30일 by admin

CVE-2019-10309

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

Source: CVE-2019-10309