CPE Details
Jenkins Config File Provider 3.4.1 for Jenkins
3.4.1
2019-02-19
12h50 +00:00
12h50 +00:00
2019-02-19
12h50 +00:00
12h50 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:a:jenkins:config_file_provider:3.4.1:*:*:*:*:jenkins:*:*
Informations
Vendor
jenkinsProduct
config_file_providerVersion
3.4.1Target Software
jenkinsRelated CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
| Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | 7.5 |
High |
||
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs. | 4.3 |
Medium |
||
| A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID. | 5.4 |
Medium |
||
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.1 |
High |
||
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. | 6.5 |
Medium |
||
| An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. | 4.8 |
Medium |
2025©
tesweb SA
